The Emergency Planning Unit
Prepare, Respond, Protect.
Business Continuity - Advice to Local Business.
This guide is designed to create a wider understanding of the importance of business continuity management & act as a first step in enabling local businesses & voluntary organisations write their own business continuity plans. It is a shortened version taken from the two main guidance documents for the Civil Contingencies Act 2004. These are "Emergency Preparedness" & "Emergency Response & Recovery". All Category 1 responders have a duty under the Act to produce Business Continuity Management plans for their own organisations. It is prudent for small & medium sized businesses to create their own plans to enable their economic survival during & following an incident as they do not have the duplication of resources enjoyed by larger organisations.
What is Business Continuity Management? (BCM).
"BCM is a management process that helps manage the risks to the smooth running of an organisation or the delivery of a service, ensuring it can continue to operate to the extent required in the event of a disruption. These risks could be from the external environment (e.g. power outage or flooding) or from within an organisation (e.g. ICT failure or loss of key staff)."
"BCM provides the strategic framework for improving an organisation's resilience to interruption. Its purpose is to facilitate the recovery of key business systems & processes within agreed time frames...whilst maintaining the...critical functions & the delivery of its vital services."
"BCM is an ongoing process that helps organisations anticipate, prepare for, prevent, respond to & recover from disruptions, whatever their source & whatever aspect of the business they may affect."
"BCM is a generic management framework that is valid across the public, private & voluntary sectors. It is about maintaining the essential business deliverables of an organisation in an emergency. The primary business of private sector organisations is the generation of profit, a process that BCM seeks to protect."
Why Bother with BCM?
Having a planned response to a crisis will help you to ensure that customers, brand name, reputation & key suppliers are maintained. It could make the difference between a business surviving an incident or not. It is especially important for small companies & organisations. Nearly 1 in 5 businesses suffer a major disruption each year. Recent terrorist activity has highlighted the potential financial costs to local business, which has been explored in a BBC Panorama production. The estimated cost of the Manchester bomb in 1996 was £200 million with many businesses staying closed for weeks. The cost of the London bombs in July 2005 is yet to be fully calculated. The London power cuts in 2003 affected an estimated 225, 000 people across Putney, Lewisham & Brixton.
BCM arrangement can benefit an organisation because they help to:
a) Develop a clearer understanding of how the organisation works. The process of analysing the business can yield sources of increased operational effectiveness & efficiency.
b) Protect the organisation. Ensure the impact of an incident on day to day functions is kept to a minimum.
c) Protect the reputation of the organisation. Continuation of service delivery to customers is vital.
d) Produce clear cost benefits. Identifying, managing & preventing disruptions in advance can reduce the costs to an organisation in terms of financial expenditure & management time.
e) Ensure compliance & corporate governance. Enabling performance standards & key performance indicators to be maintained.
Contents.
BCM Methodology.
The 5 Stages of BCM.
Delivering BCM Arrangements.
The BCM Life Cycle.
Exercising the BCP.
Final Comments.
Useful Links.
Effective BCM is Built on Seven "P"s. (Business Continuity Institute 2003).
1/ Programme - proactively managing the process.
2/ People - roles & responsibilities, awareness & education.
3/ Processes - all organisational processes, including ICT.
4/ Premises - buildings & facilities.
5/ Providers - supply chain, including outsourcing.
6/ Profile - brand, image & reputation.
7/ Performance - benchmarking, evaluation & audit.
BCM Methodology (HM Government, Emergency Preparedness, Chapter 6).
The Business Continuity Institute has developed a five-stage process, which has become widely accepted & has been incorporated into a British Standards Institute Publicly Available Specification - PAS 56. This model provides a generic framework that is applicable across the public, private & voluntary sectors.
The Five Stages of Business Continuity Management.
Stage 1: Understanding Your Business: Using business impact & risk assessments to identify critical deliverables, evaluate recovery priorities & assess the risks that could lead to a disruption of service.
Stage 2: BCM Strategies: Identifying the alternative strategies available to mitigate loss, assessing their potential effectiveness in maintaining the ability to deliver critical functions.
Stage 3: Developing & Implementing a BCM Response: Developing the response to business continuity challenges & the plans underpinning this.
Stage 4: Establishing a BCM Culture: Ensure a continuity culture is embedded in an organisation by raising awareness throughout the organisation & its key stakeholders, & offering training to key staff on BCM issues.
Stage 5: Maintain & Audit BCM: Ensue plans are fit for purpose, updated & quality assured.
Delivering BCM Arrangements.
Programme Management: In order to be successful, BCM must be regarded an integral part of the normal management process. Achieving top level support is essential to developing robust BCM arrangements. Engaging senior officers is crucial to the success due to their influence over resource allocation & the culture of an organisation. Their support is vital because:
a) it requires the leverage they exert across the organisation in order to be effective;
b) it requires decisions about attitudes to risk & service prioritisation that can only be taken at the top level;
c) the top team is responsible for ensuring effective governance arrangements are in place.
Leadership: It is suggested that a member of the executive management board be given overall responsibility for the BCM process. This will ensure the profile of BCM issues is increased & decisions are made at the appropriate level. BCM is an ongoing process & it is important to gain the support & endorsement of the board at the end of each stage. It should be the responsibility of the senior management to provide the assurance that BCM arrangements are robust.BCM Co-ordinator:It is important to clearly establish working level responsibility for taking the programme forward. The best approach for programme management will vary with organisation but the following will provide the best opportunity for success:
a) An overall BCM co-ordinator is appointed reporting directly to the executive member responsible for BCM. Ideally this person would have:
i) a good understanding of the critical aspects of the business & its key personnel & dependencies;
ii) an understanding of BCM methodology & awareness of emergency management issues;
iii) an awareness of relationships with other organisations;
iv) good programme management, communication, interpersonal & leadership skills;
v) BCM is part of every managers normal responsibilities. The BCM co-ordinator must ensure all senior managers & service heads understand the importance of BCM, the organisation's approach to BCM & their responsibilities in relation to BCM. Ultimately, senior managers themselves must be responsible for embedding the programme within their service areas.BCM Team:The team should be drawn from existing managers within key divisions &/or locations within the organisation. Consideration should be given to the composition of the team. It must contain the right mix of skills & experience & comprise individuals with the authority to make decisions & commit resources on behalf of services.
The BCM Life Cycle
As previously mentioned, the BCM cycle is a phased, iterative process consisting of five stages, as illustrated in the diagram.
Stage 1: Understanding your business.
An accurate assessment of the organisation & its business is critical, as it will provide the basis upon which all subsequent BCM policies & processes are based. It is important to put in place a process for identifying critical functions, & identifying acceptable levels of service provision. If a declared set of aims & objectives exists, this will help identify the critical functions the BCM process should focus upon. BCM is also about understanding the inputs, infrastructure & processes that delivery of these critical functions depends on. Organisations have many dependencies both internally & externally that support their critical processes & functions. It is important to identify these at an early stage. The involvement of representatives from these key dependencies, which should include suppliers, service contractors & other partners, will add significant value to the process.
Organisations have many dependencies, both internal & external that support their critical processes & functions. These can include customers, suppliers, partners, trade bodies & local authority departments. It is important to identify these at an early stage & to take their influence into account.
Having identified the critical processes & functions, it is important to determine what the impact would be upon the organisation's goals if these were disrupted or lost. This stage is known as Business Impact Analysis (BIA). The BIA is the crucial first stage in implementing BCM, & helps measure the impact of disruptions on the organisation. It will provide information that will underpin later decisions about business continuity strategies.
The Gloucestershire County Council experience, for example, has demonstrated there are four key elements to the BIA process.
a) Defining business processes;
b) Mapping the distinct stages of the process;
c) Determining the impacts of a disruption;
d) Defining recovery objectives & minimum resources needed to meet these objectives.
Once those critical processes & functions have been identified, a risk assessment can be conducted to identify the potential threats to these processes. Potential sources of disruption are much fewer in number, for example: loss of critical systems, denial of access to premises, damage to premises, loss of key staff & key resources, all of which produce similar disruption. To this end, BIA enables an organisation to focus its efforts on key areas that threaten the continuity of the organisation's work in the event of an emergency.The process will also take into account the time sensitivity of each business function/ process to disruption, & this information will determine the recovery objectives.It is necessary to rate the impact of these disruptions upon the critical objectives of the business in the event of an emergency. The rating given may be based on high, medium, low or a scoring system of 1-5. The impact of potential disruptions should be measured with reference to at least the following factors:
a) Implications for service delivery;
b) Health, welfare & safety of stakeholders;
c) Environmental implications;
d) Statutory duties & legal obligations;
e) Financial cost to the organisation;
f) Resources required to remedy the situation;
g) Impact of disruption on partners;
h) Reputation.It is important all those involved in the critical processes/ functions have input to the BIA.
Very often these processes are cross-function/ division & agreement must be reached on the ratings.At this stage the BCM co-ordinator should gain agreement from the board-level/ executive sponsor responsible for BCM on the output of the BIA because it identifies the organisation's key vulnerabilities in the event of an emergency, & narrows down the focus of the next stage of the process - Risk Assessment.Risk is a measure of the potential consequences of a contingency against the likelihood of it occurring. The greater the potential consequences & likelihood, the greater the risk. It is important organisations identify the significant risks threatening the performance of critical functions in the event of an emergency, as this will enable them to focus resources in the right areas, & develop appropriate continuity strategies.In this context, there are two strands to risk assessment, relating to external threats (i.e. risk of an emergency occurring) & internal risks (i.e. business risks) that could cause loss or disruption of critical services required to control, reduce or mitigate the effects of an emergency.It should now be possible to combine findings from the BIA & risk assessment to produce a ranking system identifying those areas where the initial BCM effort should be concentrated. Agreement should be sought from the board or executive member responsible for the rankings produced.The Annexes at the end of the document "Emergency Preparedness" give greater detail on the risk assessment process.
Stage 2: BCM Strategies
Having identified those areas most at risk, a decision has to be made as to what approach is to be taken to protect the operation.The nature of the risk - defined in terms of its likelihood & impact- will determine which business continuity strategy is appropriate & what, if any, action is required. Disruptions that are low likelihood & low impact may require no specific action, & may be dealt with through generic arrangements. Risks that are high impact & high probability may need the development of specific plans & risk mitigation strategies.Examples of strategies that could be adopted:
a) Do nothing;
b) Change, transfer or end the process;
c) Insure;
d) Mitigate;
e) Plan for business continuity.
Stage 3: Developing & Implementing a BCM Response
The Business Continuity Plan (BCP) provides the framework for the BCM process. It should address:
a) Solutions - how the BCM event will be managed?
b) Objectives - what are the recovery objectives & when should they be achieved by?
c) Tasks & Activities - what needs to be done in order to meet the recovery objectives?
d) Procedures & Processes - What is the route map for delivering the response?
e) Personnel - who is involved in delivering the response? What are their roles & responsibilities? How will they be notified?
f) Command & Control - who has the authority to make which decisions? How will these be communicated?
In defining & reflecting the recovery objectives of the organisation, the BCP should have regard to the key resources which underpin the delivery of its critical functions. Examples are given below. 
In the event of an incident, some critical functions may need to be enhanced, reduced or suspended. The BCP needs to describe the management process for making these decisions.
a) Where a service needs to be enhanced, where will the additional resources come from?
b) Where a service needs to be scaled down, how will demands on it be managed?
c) Where a service is to be withdrawn, how will staff & customers be informed?
In developing the BCM, consideration should be given to:
a) Keeping it short, simple & user friendly;
b) Ensuring the assumptions contained are realistic;
c) References to other sources of information & & supporting documentation;
d) What action plans & checklists should be provided;
e) Ownership of key tasks;
f) Pro-formas for templates & documents;
g) Version control;
h) Communication arrangements.
Stage 4: Building & Embedding a BCM Culture.
The success of a BCM strategy depends upon:
a) Implementation of the recommendations made;
b) A programme of training & exercising for those involved in the execution of the plan;
c) A comprehensive education & awareness programme.
Organisations have an interest in ensuring their suppliers & contractors have in place robust BCM arrangements. It is necessary to ensure other aspects of the delivery chain are resilient too. It is important to build BCM into procurement & contract management processes. The Office of Government Commerce provides detailed advice on its website. 
Training of staff in the procedures & actions outlined in the BCP is essential if the plan is to be effective during an incident. Roles & responsibilities need to be clearly identified & communicated to the relevant parties. All staff need to be involved at different levels of responsibility. An exercise programme will help demonstrate the effectiveness of the training & identify any weak spots requiring additional attention.
Stage 5: Maintaining & Auditing BCM
Arrangements to exercise BCPs will ensure they are effective. Exercises should focus on impacts & test capabilities. While there is an infinite number of scenarios & possible responses, the list of impacts & capabilities is limited. A few examples are detailed below.
Exercising can take various forms, from a test of the communication plan, a desk-top walk-through, to a live exercise. The programme should have the full support of the executive lead for business continuity issues. Senior management should take part in the exercises & be involved in endorsing the outcomes.
There should be a debrief after each exercise in order to capture the experience of all the participants. It is important the captured data is recorded & considered as part of the post-exercise analysis. The analysis considers the objectives & aims of the exercise against this data & from it a 'lessons learned' report can be compiled. This report will drive the implementation of changes to the BCP, as well as form part of any future exercising programme. It will also form the key supporting evidence of the post-exercise report This will also include all the captured data & post-exercise analysis & be presented to the executive lead for business continuity within the organisation. It will make recommendations for the lead to approve or support. Following approval, the changes can be implemented to the BCP. This process will provide an audit trail of BCP maintenance & testing.
Exercising the Business Continuity Plan - The learning cycle:
Final Comments.
The creation of a Business Continuity Plan is a prudent step for businesses to take to help maximise their chances of survival during & following an incident. There is an economic advantage to be gained from the information which is produced during the process. It is an opportunity for an organisation to scrutinise its present & future ability to achieve its aim & objectives. A BCP can be as simple or as far reaching as required. Some potential hazards may have such a low risk of occurring that the action may be to do nothing at all. However, at least the risk will have been properly assessed, creating a useful audit trail. It is important to focus on the consequences of an incident rather than the causes, as these may be entirely out of your control.In addition, it is also a good idea to be kept informed of general day to day events. Flooding, severe weather, transport problems & utility supplies are probably the most likely events that will have the potential to affect your business. You can use the links below to help keep yourself up to date
Useful Links.
Preparing for Emergencies. What you need to know. Information website provided by the Cabinet Office.
The Business Continuity Institute Home Page. Advice on all aspects of BCM.
A list of guidance documents produced by the Business Continuity Institute.
UK Resilience Home Page. Download the full documents "Emergency Preparedness" & "Emergency Response & Recovery" as PDF files from the UK Resilience Website.
London Prepared. Advice to Londoners, visitors & businesses on London's preparations for, & response to, major incidents & emergencies.
The Environment Agency. Advice on environmental issues such as flooding & pollution. Includes information on current flood alerts.
The Met Office. Weather Information. Includes information on current severe weather warnings.
The Electricity Guide. Information about the UK electricity suppliers.
The Water Guide. Information about the UK water suppliers.
The Gas Guide. Information about the UK gas suppliers.
The Health & Safety Executive. Advice & information regarding the health & safety environment.
The Health Protection Agency. Advice & information regarding current public health issues.
The Highways Agency. Advice & information regarding the Motorway & Trunk Road network.
National Rail Enquiries. Advice & information regarding the rail network.
Hampshire Business Contacts. Business support contacts in Hampshire.
Contingency Planning for a Possible Influenza Pandemic. Download PDF file with advice regarding contingency planning for business in the event of a flu pandemic.
Self Assessment Tool. Audit Commission Self assessment Tool can be used to help assess BCM progress.