Business continuity planning is a planning process aimed at minimizing catastrophic risks to business critical resources, functions and processes: ensuring that the business can maintain the flow of key business deliverables in the face of supply chain risks.
Business continuity planning (BCP) is designed to identify potential threats to the critical activities or success factors of an organisation, and to ensure that these can be reduced or responded to in such a way as to maintain business functions and processes through risk events. It is about maintaining the essential business deliverables of an organisation during a disruption, or through ongoing processes of change.
BCP is thus a branch of contingency planning, specifically focused on the critical factors which threaten continuity of operations, and on maintaining (or restoring) business functions in the face of potentially disruptive events, problems or failures. If contingency planning asks ‘What’s Plan B if contingency X occurs? Business continuity planning asks: ‘What are the contingencies that
could shut us down, and how do we keep our core functions going if they happen?’
Role of business continuity planning
Business continuity planning provides a framework:
• To ensure the resilience and continuing viability of a business
• To respond to enterprise-level risk assessments ‘
• To prevent loss, damage, failure or disruption in the business-critical processes and resources (including data an acknowledge, systems, talent and supply chains) which underpin continuing output of core business deliverables
• To ensure continuity of service to key customers, and protect related revenue streams, in the face of disruptive events.
Effective BCP is built on ‘seven Ps’
According to Business Continuity Institute, 2003 the following are the seven Ps that comprehensive business continuity plan:
1. Programme – proactively managing the process
2. People – roles and responsibilities, awareness and education
3. Processes – all organizational processes, including ICT
4. Premises – buildings and facilities
5. Providers – supply chain, including outsourcing
6. Profile – brand, image and reputation
7. Performance – benchmarking, evaluation and audit
Importance Business Continuity to the procurement entities
• Creates competitive advantage
• Reduces impact and likelihood of failure
• Demonstrates management commitment – at all levels
• Enhances image and confidence with stakeholders (shareholders, customers/suppliers, employees, local officials)
• Helps organizations fulfill moral responsibility to protect employees and the community
• Enhances an organization’s ability to minimize and recover from financial
loses, market changes, fines, supplier interruptions, reputational hits, etc.
• Reduces exposure to civil or criminal liability
• Reduces insurance costs
The business continuity has developed a five stage process model, intended as a generic framework which will be applicable across industries and sectors.
1. Business risk assessment- Identify critical business functions essential for continued service or production. Determine the events that can adversely affect your company, the damage that such events can cause and the controls needed to prevent or minimise the effects of a loss potential.
2. Business continuity plan development- Record everything in the business impact analysis (BIA) process and develop a plan for disasters and emergencies. At a minimum, the plan should include: • Policy, purpose, and scope • Goals and objectives • Assumptions • Key roles and responsibilities • Business impact analysis (BIA) results • Risk mitigation plans • Offsite data and storage requirements • Business recovery and continuity strategies • Alternate operating strategies • Supplier vendor readiness • Plan activation and universal response • Communication and notification plan • Training, drills, and exercises and finally the Plan maintenance.
3. Document- Organise and document a written plan. Senior management should review and approve the proposed plan. Well-written plans reduce the time required to read and understand the procedures and therefore, result in a better chance of success if the plan has to be used. Well- written plans are brief and to the point. A certain writing format should be employed when writing the plan. A standard format for the procedures should be developed to facilitate consistency and conformity throughout the plan. Standardisation is especially important if several people write the procedures. If any aspect of the plan is based on certain assumptions, write them down. Throughout the attached checklist, the planner is reminded to document all assumptions.
4. Test – Testing is the generic term used to describe the critical process of exercising strategies and plans. Develop testing criteria and procedures. Procedures to test the business continuity plan should be documented. It is essential that the plan be thoroughly tested and evaluated on a regular basis (at least annually). The plan should be updated to correct any problems identified during the test. Types of tests include; Checklist tests, Simulation tests, Parallel tests and Full recovery / interruption tests. The tests will provide the company with the assurance that all necessary steps are included in the plan.
5. Maintain- Procedures should be developed to review the impact of new processes, systems and technology on a regular basis. (i.e. quarterly, half-yearly, annually). Document all changes to the original business continuity plan.
Elements of a Business Continuity Plan
• Risks and Impact
A business continuity plan identifies the internal and external risks your organization faces. These range from major events such as hurricanes, fires or floods to other problems such as fraud, telecommunications failures, computer viruses or supply-chain issues. The plan includes an assessment of the risk level, estimating the potential consequences of each type of disaster and the impact on business continuity. It identifies any measures in place to prevent or minimize the risk.
• Response and Resources
For each risk scenario, the plan includes an appropriate response. This will describe the actions to be taken, the people involved and the resources required to restore operations. If a major disaster occurs, you may need to set up temporary facilities. The plan identifies the source and location of facilities such as temporary office accommodation, telecommunications systems and computing equipment so key employees can quickly resume work.
• Duties and Priorities
A clear command structure is essential in a disaster. A continuity plan identifies the members of the business continuity team with a detailed description of roles, responsibilities and actions. It also sets out a procedure for making critical decisions or escalating responsibilities in a major crisis. Prioritizing people is critical — if a disaster damages property, you may not be able to restore normal working conditions for all employees in the short term. The plan identifies the key employees who must be operational from the first day. Typically, these would include senior executives, sales and customer service teams, and production-planning staff to maintain service to customers.
• Contacts and Communications
Effective communication keeps employees aware of their duties after a disaster. It also helps maintain confidence among customers and others who have a stake in the business. The plan includes templates for internal announcements and news releases covering different scenarios as well as an updated employee directory with contact information. It also includes
contact details of suppliers and emergency services. To support crisis communications, the plan lists contact information for key customers, the media and key investors.
• Testing and Maintenance
Training and testing is essential to ensure the business recovery teams can fulfill their responsibilities. The continuity plan includes a detailed training program and sets dates for regular rehearsals of the recovery procedures. An emergency plan can quickly go out of date. Risks change and new threats emerge, particularly in information technology, where attacks cyber criminals have become increasingly sophisticated. The plan names a team member to update the procedures.