How would your business respond if disaster strikes? BSI explains the importance of preparation, so you can get back to business as usual.

Organisational resilience is the ability of an organisation to adapt and evolve with the ebb and flow of the marketplace.

This is accomplished via a variety of means, including having a recovery plan for disaster and a mindful approach to keeping up with the changing needs of consumers.

Business continuity is one of the pillars of organisational resilience, alongside governance, resilience and crisis management. Business continuity is how you prepare for and react when disaster strikes, in order to mitigate loss and get your organisation back to business as usual as quickly and efficiently as possible.

What does disaster look like?

Disaster comes in many forms, from cyber-attack to weather damage. It can be a large-scale emergency or a smaller, more prosaic issue that affects a single business – a network issue, for example. No matter how much you prepare for disaster, there’s nothing you can do to avoid it completely, because it’s impossible to predict what, how or when it might strike.

Why do you need to prepare for disaster?

As many as 75 per cent of businesses fail within three years of experiencing disaster. Often, this isn’t just because of the direct cost of the repairs, but the indirect cost, too. A business may suffer from damaged relationships with suppliers and customers, or sustain production losses as a result of running at partial capacity (or not at all) for a period of time.

The Civil Contingencies Act 2004 stipulates that Category 1 responders, such as the police and fire and ambulance services, must have robust business continuity policies in place. Category 2 responders, such as local authorities, power companies and water, gas and telecoms companies, must also be prepared with business continuity plans. And the same goes for suppliers for these companies. For these essential services, business continuity policies are essential.

Business continuity policies and the associated standards can also help to fortify insurance policies, and in some cases, provide discounts.

How can you prepare for disaster?

‘Prepare for the worst and hope for the best’ is a motto that often rings true for the business world. You could even go so far as to say that it reflects the underlying premise of business continuity.

Business continuity is about achieving business as usual in the face of disaster in order to mitigate damage to the business. This could be by taking precautionary measures before an incident, or by having measures implemented to manage an incident at the time it happens.

Building a business continuity strategy

In order to effectively prepare a business continuity strategy, you should follow a logical assessment of the risks:

1) Understanding the risks

Different circumstances present different risks. Businesses in earthquake liable locations, for example, would be more justified in anticipating earthquakes, because they occur more regularly. Equally, a manufacturing business might be at greater risk of fire than an office. Business continuity is all about considering the particular risks engendered by your business and circumstances.

Business impact analysis could help you to understand what the financial repercussions would be for these activities. In order to do this, you need to ascertain how time-critical your business functions are – from production to paying stakeholders. This is to give an understanding of how this could affect your stakeholders, services and products. Once complete, you can begin to think about how these translate into objectives for recovery.

2) Addressing the risks

Once the risks have been identified, you should address ways that you could overcome these risks. For example, if your server goes down, it could be costly for the business – you might consider installing a backup server to see whether this would reduce the risks. Many risks cannot be eliminated completely, meaning that you will need to implement a strategy for dealing with issues when they do occur.

3) Implementing solutions

Solutions are not just about paperwork; they are about expanding your employees’ responsibilities to include business interruption prevention protocols. People should be given specific roles and responsibilities to support these strategies. If needed, training and tools should be provided for these additional responsibilities. It’s vital to consider communication here – who needs to know about which strategies?

4) Reacting in real time

Systems must be honed so that they work in real time in order to be effective. This means considering the situation as it would happen in actuality, not as it would happen on paper, in order to accurately understand the process and how you could mitigate damage.

Standards and business continuity

There are many standards which can help improve business continuity, in particular international standard ISO 22301 Business Continuity. This standard helps identify current and future threats and lets you take steps to mitigate any unfortunate occurrences that might take place. A plan is then put in place to minimise downtime.

ISO 22313 Guidance for ISO 22301 is a complementary standard addressing guidance for the key business continuity standard. This supporting standard looks in particular at societal security and business continuity management systems. It’s about managing the situation and addressing business needs to come up with a structured approach to deal with these two elements.

Looking to the long term

Business continuity is also about being aware of the larger changes going on around you that may affect the organisation’s ability to carry on with its activities. Rather than a one-time assessment, business continuity should be a constant process through which you continually adapt and evolve your plan to tackle any issues. This should be part of a wider organisational resilience strategy designed to make your business more robust.

Sources

• Improving organizational resilience: the real justification for business continuity
• A business continuity perspective on organisational resilience [pdf]
• Position statement on organizational resilience
• Improving organizational resilience: the business continuity institute’s view
• ISO 22313:2012 Societal security: Business continuity management systems – Guidance
• Business Continuity Management Toolkit [pdf]
• Risk & Costs of Not Having a Business Continuity Management Program

See also

• Organisational resilience: the final pillar