In this article
Any business crisis can cost an organisation a lot of money, may have the potential to ruin its reputation, and may even have the capacity to effect business failure. This is why when a business crisis occurs, the last thing an organisation needs to be is unprepared.
Being prepared for if and when a business crisis might occur involves identifying what risks a business might face, the likelihood of it happening, the impact that it might have on the business should it happen, and planning to minimise any disruption in order to lessen the impact and to keep the business operating whilst it recovers from whatever the crisis is. This is known as continuity planning.
On 4 August 2022, the NHS suffered a significant business continuity failure when a ransomware attack targeted a major software provider for the NHS, which saw their critical NHS 111 service being taken offline, alongside management systems for GP surgeries, care homes and mental health services also being affected. The NHS is one of the largest employers in the UK. Computer downtime costs the organisation and the taxpayer significant money and endangers public healthcare. This was not the first cyber-attack that the NHS had experienced, nor would it be the last.
During the initial stages of this attack, with little or no coherent contingency or business continuity plan for such an event, the front-line staff had to revert to pen and paper, and make do with whatever records that they had that were not computer-based. This was obviously not the most effective way of providing continuity of services, as such endeavours are not a contingency for business continuity, but rather an unprepared reactive action to cope in an emergency situation. The attack took several months to rectify fully. Part of the delay in service restoration was the impact of the attack on legacy systems, something else that had not been taken into consideration.
Following on from the incident and witnessing how cyber-attacks can have devastating impacts on critical infrastructure, the NHS IT experts recognise that it is essential to continuously assess the current and ever-changing threat landscape to proactively defend and recover from any future incidents, whilst continuing to maintain some level of effective service for its users during the incident. The overall trend of ransomware attacks as a whole is rising each year, with roughly 3,070 ransomware victims in 2022. Ransomware attacks have risen by 87% in the UK during the first half of 2023 compared to the latter half of 2022 according to cyber-security firm Jumpsec.
Business crises are not limited to large organisations; they can occur anywhere, at any time and, for some, can have catastrophic impacts. Organisations that have not foreseen the risk potential, and have not adequately planned contingencies for if or when a crisis may happen, run the risk of never recovering. It has been said that 40% of small and mid-sized enterprises (SMEs) never reopen after a natural disaster.
During the 2020 COVID lockdowns, many more businesses would have been negatively impacted if they had not quickly put in place continuity plans to maintain service provision such as facilitating staff working from home, switching to online services, or changing their offerings to supplying more apt products and services. Despite the negative impact of the virus on many businesses across the world, there has been a surprising surge in the number of industries thriving as a result of the pandemic, and continuity planning may possibly have had a part to play in that.
Understanding Business Continuity Planning
Any incident, large or small, whether it is natural, accidental or deliberate, can cause major disruption to an organisation. Many organisations will have a Business Continuity Plan (BCP) in place and, as we have seen, this has been of vital importance to many businesses during and in the aftermath of the Covid-19 crisis. Business continuity is about anticipating any crises or catastrophes that could affect an organisation and planning for the likelihood of them happening, to make sure that the business can continue to function in the event of an emergency.
Business continuity planning differs from disaster recovery planning which has traditionally focused on the initial recovery of the business operations and service provision. Business continuity planning addresses all the requirements essential to keeping the business running longer term and includes processes to keep disruption to users and employees to a minimum. In other words, it is about ensuring that a crisis is managed effectively.
A business continuity plan sets out clear roles and responsibilities, for example those assigned to manage all liaisons with service users, customers, employees, suppliers, other stakeholders and the emergency services (if required). It details a series of contingency actions that enable key business activities to continue in the most difficult circumstances, such as when a vital computer system or other equipment is unavailable. Importantly, it also details clear emergency procedures to ensure that the safety of employees, customers and/or service users is a top priority.
Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it is important to consider the variety of crises that could potentially affect the organisation and prepare a resolution for each to carry the business through so that it can continue to operate albeit at perhaps a reduced level.
A crisis can endanger an organisation’s business strategy, cause various types of harm to their employees and/or customers and/or service users, disrupt normal operations, and induce long-lasting reputational damage. However, if an organisation establishes effective crisis preparation and business continuity planning it can mitigate potential risks, and even emerge stronger.
The Foundation: Risk Assessment
Assessing risks to determine the potential impacts of a crisis on an organisation enables a business to determine the most effective use of resources to reduce the possible effects and to be able to continue operations. The reason that risk assessments are business continuity critical is that they help create a resilient organisation. A well-conducted risk assessment is the building block to an effective business impact analysis (BIA) and subsequent business continuity plan (BCP), both of which we will look at later in this article.
This type of risk assessment involves considering the following:
- What are the organisation’s key products and/or services?
- What are the critical assets, functions, activities and/or resources required to deliver these?
- What are the risks to these critical assets, functions, activities and/or resources?
- What will the impact be that a failure, delay, disruption or loss of these activities would have on the organisation, employees, customers/service users, reputation etc. over defined periods of time such as 24 hours, a week, longer?
- How will the organisation maintain these critical activities in the event of an incident or crisis such as loss of access to premises, loss of utilities etc?
A risk analysis links the business impact data with an understanding of operational activities, and prevention and mitigation are key aspects of building a solid business continuity foundation.
Types of Risks
Business risks are factors that threaten an organisation’s ability to operate, leading to financial loss or business failure. The types of disasters that a business should continuity plan for will depend on the business, the type of service, equipment or products that they provide, along with the location(s) in which they operate. Types of risks might include:
- Direct risk — this is a threat to a business that is within their control
- Indirect risk —this is a threat to a business that is outside of their control
- Internal risk — these are the risks that a business has the power to prevent or mitigate within their business
- External risk — these are the risks that the business has little or no control over
It is important for individual businesses to identify all the possible challenges and risks that might be applicable to them; however, some of the types of incidents or crises that could occur might include, but are not limited to:
- Natural disasters – as the title indicates, these are disasters that a business will have no control over, for example fires, floods, earthquakes, pandemics etc.
- Extreme weather – there may be times when weather conditions are so severe that employees may not be able to get to the workplace, or where travel in general is difficult, such as snowstorms, severe flooding or even heatwaves. These conditions may also affect the working environment, or cause damage to equipment.
- Health and safety – this can include equipment malfunction or failures, hazards and injuries to staff etc.
- Staff shortages – these can occur through, for example, rapid expansion, skills shortages, staff turnover or sick-absence or parental leave.
- Utilities outages – electrical, gas and water disruption to the business premises.
- Technological disasters – these include computer network failures (internal and external), communication systems, hardware failures or problems associated with using outdated equipment.
- Malicious attacks – malicious attacks are not limited to cyber-attacks, ransomware or hacking; vandalism, crime, fraud, riots, terrorism and reputational threats can all mean harm to a business and can lead to loss of service.
- Human error – disasters are not always natural or malicious and human error is a significant consideration. For example, employees can accidentally delete important data, bring in external devices that contain malicious software, inadvertently commit data breaches etc.
- Reputational attacks – these can include bad reviews, targeted negative media coverage and social media.
- Knowledge retention – key staff leaving the organisation without vital knowledge being retained.
- Operational – this means that the systems and processes that are critical to business operations and that the business relies on are able to continue functioning without disruption.
- Denial of access – it may be that the business premises are functioning without issue, but circumstances around the site can lead to denial of access. For example, strike action, area evacuation, disruption to deliveries, or environmental issues.
- Political events – Brexit, for example, has seen a huge impact on how organisations operate. Sourcing resources, products and/or equipment from Europe is now more challenging and the results of Brexit may continue to have an impact on human resources. International conflicts can also impact supply chains.
- Regulatory, legislative or governmental policy changes – such as import/export regulations, tax changes etc.
- Economic situations – a significant financial crash, major fluctuations in exchange or interest rates, or problems with debtors.
- Supply chain disruption – for many organisations, their service delivery or supply will be dependent on partners in the chain. What will they do if key suppliers go out of business, or cannot guarantee an uninterrupted supply? Where would they seek to find alternatives?
It can be an overwhelmingly daunting task to consider all possible risks that a business may face, but assessing the possible impact of each can help prioritise continuity planning.
The Risk Assessment Process
The aim of business continuity planning is to ensure that the business can remain operational no matter what occurs. Therefore, an important part of a comprehensive business continuity plan is carrying out a thorough risk assessment to identify all the potential threats to the business and its infrastructure, employees, operations and processes, etc., whatever they might be and wherever they might be from – direct, indirect, internal or external.
Risk assessment is simply a careful examination of what could cause harm to someone or something, and requires making a judgement on the risk severity, so that the organisation can weigh up whether they have taken enough precautions to either eliminate or mitigate the risk, whether they should do more to prevent harm, and in the case of business continuity planning, to identify should harm occur, what needs to be in place in order for the business to continue operating.
Risks have three elements:
- A definite cause
- An uncertain outcome
- An impact/effect on someone or something
A hazard or threat is anything that may cause harm. A risk is the chance, high, medium or low, that someone or something could be harmed by these and other hazards or threats, together with an indication of how serious the harm could be. There is a simple formula used:
Risk Severity = the probability of a risk materialising X the impact of a risk on, for example, the business, employee(s), client(s) and/or stakeholder(s) interests.
Probability is the likelihood that the risk might happen, and may be understood as:
- Low (Level 1) – a reasonably informed person would think it very unlikely this risk would materialise in the foreseeable future.
- Medium (Level 2) – a reasonably informed person would think there is a significant possibility this risk would materialise in the foreseeable future.
- High (Level 3) – a reasonably informed person would think there is a very significant or even likely possibility the risk would materialise in the foreseeable future.
Impact may be understood as:
- Low (Level 1) – any impact on the organisation as a business, its employees, workers, contractors, clients or stakeholders is minimal having regard to the importance of interests affected, impairment of function and duration. Typically, the impact is isolated and short-lived.
- Medium (Level 2) – any impact on the organisation as a business, its employees, workers, contractors, clients or stakeholders is significant having regard to the importance of interests affected, impairment of function and duration. Typically, the impact is limited to one function or group, but there is a material operational impact and the effects may continue.
- High (Level 3) – any impact on the organisation as a business, its employees, workers, contractors, clients or stakeholders is severe having regard to the importance of interests affected, impairment of function and duration. Typically, the impact impairs a critical function and/or has a systemic impact and the effects may be long-lasting or permanent.
This forms the Risk Matrix.
Risk assessment is based on a five-step process:
1, Identify hazards – identify situations that can cause harm, particularly harm to people, but also harm to the continuance of business operations.
2, Assess the risks – determine how likely it is that each hazard will occur and how severe the consequences could be, as described above.
3, Control the risks – decide what steps the organisation should take to prevent these hazards, control the risks, or mitigate possible negative outcomes.
4, Record your findings – this plan should include the hazards that have been found, the people they affect, and a plan to prevent, eliminate or mitigate all the risks.
5, Review the controls – managing risk is an ongoing process that is triggered when changes affect the organisation. These changes may include, but are not limited to:
- Workforce changes
- Changing work practices, procedures or the work environment
- Purchasing new or used equipment or using new substances
- Planning to improve efficiency or reduce costs
- New information about the workplace risks becomes available
- Responding to concerns raised by employees, workers, contractors, clients, visitors or others at the organisation.
Another key consideration that organisations should make during the above processes is whether or not the risks identified are closely related enough to overall business continuity. For example, when evaluating the risks associated with rail industrial action, organisations may have to not only take into consideration staff travel options and backfilling staff, but also to consider any impact on their supply chains which use, for example, rail freight to transport critical goods. Business operations will need to consider all the potential impacts on operations that a rail strike could have and draw up contingencies to mitigate the impact and to maintain operations.
Many organisations may want to establish a business continuity action team formed from key personnel from within the organisation, and any external stakeholders that may be able to support the process. Members of the action team will have various roles and responsibilities in identifying, analysing and prioritising potential risks and threats, and in planning for and implementing business continuity actions to ensure that business operations are able to continue and any disruption is kept to a minimum.
Depending upon the organisation and the type of risk the organisation is continuity planning for, the action team may comprise members from, for example, but not limited to:
- The senior management team
- Facilities management
- Human resources
- Key operations staff
- IT
- Finance
- Sales, marketing and/or communications
- Relevant external partners such as suppliers, funders etc.
Identifying Critical Assets and Functions
A critical asset or function is where there are severe consequences should that asset or function fail or be delayed, disrupted or lost causing a negative impact to confidentiality, integrity, and/or business operations. What these critical assets or functions are depends very much on the industry or sector in which the business operates. For example, to a delivery company, their vehicles will be a critical asset and their drivers a critical function. Critical assets and/or functions can be tangible assets or intangible assets and can include, but are not limited to:
- Buildings
- Vehicles
- Cash
- Laptops or other machinery or equipment
- Documents
- Operational devices
- Patents/copyrights
- Intellectual property
- Trademarks
- Reputation
- Corporate financial information/data
- Customer information/data
- Human resource information/data
- Proprietary software
- Scientific research
- Diagrams/plans
- Internal manufacturing processes
- Supply chain management
- Facilities management
- Website
- Inventory system
Evaluating the importance of an asset or function is likely to involve assigning a criticality rating to that asset or function, or asset or function class. Criticality is scored on a scale, and the scale varies from organisation to organisation, but many typically rank criticality on a scale of 1 to 5. When ranking criticality, consider the impact of the failure, delay, loss or disruption of that asset or function, regardless of current condition, in the context of impact on operations, health and safety and other outcomes.
Organisations should list all their critical assets and functions in priority order. Understanding which assets and functions are critical to the business allows the organisation to focus their resources and efforts on protecting these areas. The identification of critical assets also makes it easy to get them insured in case of loss. That way, there is a guarantee that the organisation will not be at complete risk of failure should a disaster occur.
Organisations also need to consider all third-party risks as part of their business continuity plans. Critical assets and functions may include third-party supplies such as utilities, staff or products. These should be evaluated in much the same way as in-house assets and functions. Make sure that contracts with suppliers adequately address critical asset needs in terms of responsiveness and appropriate care.
Once critical assets and functions have been identified, it is important to have regular reviews and inspections with clear and timely reporting, so that any issues are escalated as necessary. This may involve, for example, developing planned preventative maintenance schedules against the critical assets that have been identified.
When starting the business continuity planning process, organisations should take time to fully understand their operational vulnerabilities, prioritising attention to their critical assets and functions.
Risk Mitigation and Management
No organisation is completely immune to disaster. Regardless of their size, businesses need to be well prepared to ensure seamless continuity of critical operations in the face of unforeseen crises. The ultimate goal for organisations should be to minimise downtime. This includes the ability to maintain workforce productivity during an emergency, regardless of where their employees are working, for example remotely, in the workplace or at temporary premises. It is imperative for businesses to have solid business continuity plans (BCPs) in place.
Risk mitigation is the action that an organisation takes to reduce threats and ensure resiliency. When an organisation mitigates risk, they are taking steps to reduce adverse or harmful effects that the risk may pose. Reducing the impact of any potential threat is an important part of risk mitigation. A mitigation strategy will define how the organisation will manage each risk identified in the risk assessment. There are four risk management strategies that are unique to Business Continuity and Disaster Recovery, and these are:
- Risk acceptance
- Risk avoidance
- Risk limitation
- Risk transference
Although risk acceptance does not reduce any effects that the risk/threat may have on the organisation, it is used as a risk management strategy by organisations that consider the cost of other risk management options to be more than the cost of the risk itself. For example, an organisation may decide that it is too expensive to provide temporary staff for extra cover on days when there is a rail strike, and they determine that their staff can still provide a good enough service even with reduced numbers.
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all the risk mitigation options. Organisations must decide when the cost of the risk is greater than the cost of risk management and manage their plans accordingly. For example, an organisation changes its supplier to a more local one, even though it is slightly more expensive, to avoid the risk of supplies being delayed by transport strikes.
Risk limitation is the most common risk management strategy used by organisations. By taking some action, the organisation limits its exposure to risk. Risk limitation is a combination of risk acceptance and risk avoidance; for example, an organisation can not continue its business without electricity, so invests in a generator as a backup to limit the risk.
Risk transference is the option to transfer any risk to a third party. For example, many organisations outsource specific operations such as payroll services, IT management, marketing etc. One of the most significant benefits of risk transfer is the reduced liability that it provides. However, the outsourcing company’s risk management strategies are critical to the organisation’s success, and they need to be fully aware of how the third party controls risk. Risk transfer to outsourcing must be seen as a contractual transfer of risk from one party to another.
Business Impact Analysis (BIA)
A business impact analysis (BIA) predicts the consequences of a disruption to an organisation and gathers together the information needed to develop continuity and recovery strategies. A risk assessment analyses potential threats and the likelihood of them happening. Assessing the likelihood of different crisis disruption scenarios occurring helps to identify and prioritise the most significant ones, as not all risks are equally probable.
A business impact analysis (BIA) measures the severity of those threats and how they would affect business operations and finances. In other words, a BIA is essentially an extension of a risk assessment report, as it identifies potential risks and then also measures their impact.
Disruptions happen in all organisations, and it is important to be prepared so that the organisation can get back on track and minimise any losses. A business impact analysis helps the organisation to gather the data needed to plan for and handle difficulties when they inevitably occur.
A business impact analysis is needed to identify and understand the potential impacts of disruptions on an organisation’s critical functions. It guides the development of robust business continuity management plans. A thorough BIA would start by identifying critical processes that are most vulnerable to risks identified in the risk assessment and comprise the following:
- Critical asset, process or function identification
- Risk assessment and evaluation
- Impact assessment
- Mitigation strategies
A BIA is the starting point for the organisation’s business continuity plan (BCP). With the BIA findings in hand, an organisation can develop strategies and plans to address the identified risks, vulnerabilities and criticalities. They can determine the steps they will take to protect their critical assets, functions etc. and ensure business continuity. The BIA evolves into a proactive roadmap for action. The BIA isn’t a static document, it should be dynamic and responsive and reviewed and updated as the organisation evolves, and new risks emerge.
Continuity Planning and Response
An important part of developing a business continuity plan (BCP) is the business continuity impact analysis as described above. Integrating the BIA into the BCP is essential for effective disaster preparedness. The BIA’s insights help an organisation to understand just how damaging different disruptions can be to their key operations. A BCP is not just a plan on paper, it is a call to action aimed at minimising downtime while allocating resources to support the disaster recovery plan.
A comprehensive business continuity plan (BCP) will take each risk identified in the business impact analysis (BIA) and develop an appropriate response strategy to either minimise it or prevent it altogether. These detailed plans will describe the action needed and outline who needs to be involved to implement it. It should contain detailed timescales and resources, such as laptops, alternative warehouse space, mobile phone numbers, etc. to ensure a quick and relevant response.
The key people in the organisation need to know their roles and responsibilities in the BCP, in order for a crisis or disruption to be met confidently. Therefore, the BCP must document which key personnel need to be involved in the response to the crisis or disruption, and their roles and actions need to be clearly defined so that they can react quickly and efficiently. The resources that these key personnel need following a crisis or disruption should also be clearly stated in the BCP so that they can be prioritised.
Organisations need to have compiled an emergency contact information log within their BCP which should be up to date and easily accessible to staff, and it is crucial that this information is kept on a separate system, perhaps at a separate location. This is particularly important if internet connection, phone lines, and telecommunications and data systems are damaged or completely destroyed during a disaster.
Arrangements need to be planned for alternative communications. Organisations should also have developed communications plans as part of their business continuity plan that they will implement during any incidents. They should identify everyone that will require communications, their information needs, media needed for the different audiences depending on who the message is for, for example customers, staff, service providers, the public etc., and whether updates will be required such as when situations may change rapidly. It can be useful for organisations to have developed templated press releases and social media posts within the BCP.
Organisations also need to consider implications should their premises be damaged or completely destroyed during a disaster. Do they have access to alternative site locations if staff cannot access the main locations? Is there a specified site for staff to meet and have they been briefed on what to do and who to contact in such a situation?
No matter how prepared an organisation is for a crisis or disaster, unexpected challenges will emerge along the way and there will be challenges that could not have been anticipated. This is why the capacity to adapt to these changes, react swiftly, and effectively communicate with employees, clients etc. will make the BCPs more effective long term.
Testing and Training
Business continuity plans are not just hypothetical, they need to be robust enough to be put into action. In order to test this, the final key component of a BCP is testing and training.
Realistic scenarios should be developed to test out the plan and the organisation’s response. These scenarios will be based upon the risks identified in the risk assessment. For example, an organisation may have identified that rail strikes pose a risk to business continuity so may run a scenario in which staff try out using other modes of transport to get to work on a specified date.
Running a realistic scenario helps to identify room for improvement and enables the organisation to take action to improve the plan before a crisis disruption occurs. Testing and training also helps to ensure that key personnel understand the plan and their role in it. Raising awareness of the BCP among the wider staff through testing and training will also help them to understand their role in responding to crisis disruptions.
Regular testing and training can improve the resilience of the organisation overall. How often and how in depth the testing should be depends on the organisation’s unique risks, which should have been previously identified in a business impact analysis. An organisation that has more at stake when it comes to disruption, such as revenue loss, operational downtime, or damaged reputation, will typically require more BCP scenarios and may need to run testing and training more often.
Continuous Improvement
As we have previously stated, risk assessments, BIAs and BCPs are not static documents. Ensuring business continuity is an ongoing process and organisations should be ready to adapt and refine their plan as circumstances change, and as the organisation evolves. Reviews of the plans should be triggered when any changes affect the organisation. These changes may include, but are not limited to:
- Workforce changes
- Changing work practices, procedures or the work environment
- Purchasing new or used equipment or using new substances
- Planning to improve efficiency or reduce costs
- New information about the workplace risks becomes available
- Responding to concerns raised by employees, workers, contractors, clients, visitors or others at the organisation
The BCP should also be informed by the evaluation of any testing or training and adjustments made as necessary. Also, the organisation may need to retrain staff in the event of major adjustments to the BCP.
Conclusion
In this article we have examined the importance of business continuity planning in order for an organisation to be able to continue its operations throughout and after a significant crisis or disaster has occurred. The aim of an effective BCP is to have essential business functions up and running with minimal downtime and minimum financial loss, ensuring the safety of employees, and others, and with the organisation’s reputation intact.
Key to the production of an effective business continuity plan is a robust, accurate and current risk assessment, together with a robust, accurate and current business impact analysis (BIA). These will help the organisation to identify and predict business disruption consequences and to gather information to develop effective business continuity and recovery strategies to ensure the organisation’s resilience in the face of disasters.
Assessing Risk (Risk Assessment Training)
Just £20
Study online and gain a full CPD certificate posted out to you the very next working day.