NIG have informed us of the importance of knowing your business vulnerabilities and how to assess those risks for your organisation and we have adapted their article to bring this information to your attention in order to encourage you to protect your business from external or internal impacts and threats.
_______________
You may know your business vulnerabilities very well or you may not, but how to strengthen those weaknesses and minimise risk is the first step to understanding weaknesses and creating a strategy to secure your business.
Business Impact Analysis is the foundation of Business Continuity Management. It identifies, quantifies and qualifies the business impacts of a loss, interruption or disruption of business processes on an organisation. It then provides the data from which appropriate continuity strategies can be determined. A Business Impact Analysis examines the operational functions such as the loss of ability to deliver each product or service, an interruption to the internal and external activities that would disrupt the delivery of products and services or a disruption of a business area’s activity – to assist in the preparation of a detailed plan for the department.
First you have to gather all the information you can about what risks there are, then you need to provide an assessment of the risks.
There are two aspects to every risk to consider your business:
How likely is it to happen?
What effect will it have on your business?
Then you should develop your strategy.
Ensure that the Board and senior management agree with your analysis of the company’s business risks and which people and tasks are essential. If you have enrolled or delegated support with the risk analysis, one department may tell you they need to be operational again within one day and another will compete for this place. It is up to the board to agree with the assessment and comment on priority.
Is yours the kind of business that is committed to reducing risks, or one that prefers to take risks and have a ‘comeback’ plan? Your management’s attitude to risk may be partly based on the costs of delivering effective business continuity. Remember to include both money and peoples time when developing your strategy.
All business continuity plans should and will look different for different businesses, but most good and effective plans will share some important features such as the set up.
Make it clear that you have consulted throughout the business and use non-technical language that everyone can understand and follow easily.
The contents should be clear who takes responsibility for what task and always include deputies. Check-lists used should be easy to follow, include clear and direct instructions for the first crucial hour after an incident, include a list of things that ‘do not’ need to be thought about until after the first hour and ensure this is always a ‘living document’ – agree how often you will revisit the plan to update and reflect organisational changes, a good plan will be simple without being too simplistic.
You will never be able to plan for every possible event. Just remember that people will be under stress and will need to be able to react quickly in an emergency. Stopping to read lots of detail may make things more difficult. Plan for worst case scenarios and then the plan will also work for simpler smaller situations.
Now you have acknowledged your business vulnerabilities and created a plan of action, match your people to that plan. The business continuity recommends the Gold, Silver and Bronze (GSB) structure to help define who should do what.
Gold – Strategic – The Thinkers
Silver – Tactical – The planners and co-ordinators
Bronze – Operational – The doers
You can apply this GSB approach to most businesses, however it is essential to ensure proper communication and co-ordination of business continuity plans.
Include information from outside your business. No business operates in a vacuum. Include information from outside experts in planning for emergencies or from other businesses that may face similar risks.
For example you could use emergency planning officers, emergency services, neighbouring businesses, utility companies, suppliers and customers or your insurance company for more support and information.
Sometimes you only discover any weaknesses in a plan when you put it into action. Just as you would a fire drill, rehearse your plan.
There are various ways you can do this, one of them being paper based exercises. Read the plan through as group, question each action. Is it the right thing to do? Do we do things in the right order? Then test the plan with the ‘what if?’ written scenario. You can add new pieces as the scenario unfolds, in the same way that more details would become clear in a real incident. Remember this is a ‘living document’ you will need to rehearse whenever you update the plan.
Another way is telephone cascading. Without warning, a test message is sent out to everyone at the top of the call cascade lists in the plan(s). The message is cascaded, with the last person in each cascade contacting a nominated person, who records when the calls come in. This will allow you to check your communications structure. Are you having difficulty in contacting people? Are the telephone numbers right? Are they still with the company?
Or just like a fire drill, a full rehearsal. This can be an expensive way to test your plan, but it will show you how well different elements of the plan work together, this may not be clear when you test individual parts. Planning this rehearsal properly should assist you to check the full plan with the minimum cost and disruption.
You should also monitor and review your plan. Monitoring provides the information to let you review activities and decide how to improve performance. Audits, by your own staff or outsiders, complement monitoring activities by looking to see if your policy, organisation and systems are actually achieving the right results. They tell you about the reliability and effectiveness of your systems. Learn from your experiences. Combine the results from measuring performance with information from audits to improve your approach to health and safety management and business continuity.
When reviewing your plan, pay close attention to the degree of compliance with health and safety performance standards (including legislation), areas where standards are absent or inadequate, achievement of stated objectives within given time-scales, injury, illness and incident data – analysis of immediate and underlying causes and trends and common features.
These indicators will show you where you need to improve.
Ask yourself:
- How do you learn from your mistakes and your successes?
- Do you carry out health and safety audits?
- What action is taken on audit findings?
- Do the audits involve staff at all levels?
- When did you last review your policy and performance?
This approach to managing risk is tried and tested. It has strong similarities to quality management systems used by many successful companies. It can help you protect people and control loss. All six steps are fundamental.
Reviewing performance would be the final step to ensure that feedback is used to improve the process.
If you haven’t done so already, Download the NIG template to create your business continuity management plan and for more information about BCM, visit the Government’s toolkit.
_______________
Talbot Jones Ltd is a family-run Chartered Insurance Broker specialising in Third Sector and Professional risks. Get in touch for free insurance advice, review or quotation.
Talbot Jones Ltd incorporates March Insurance Services, a Chartered Insurance Broker specialising in Agricultural and Hospitality Risks.