Close This website uses modern features that are not supported by your browser. Click here for more information.
Please upgrade to a modern browser to view this website properly. Google Chrome Mozilla Firefox Opera Safari
Financial Services Intelligence Watch
Sub Menu
Search

Search

Filter
Filter
Filter
Filter
A A A

Business continuity – risk management guidelines

Publish date: 08 November 2019
Issue Number: 97
Diary: CompliNEWS
Category: Compliance

Compli-Serve

Every business can experience a serious incident that can prevent it from continuing normal business operations, and this can happen at any time. This can range from a flood or explosion to a serious computer malfunction or information security incident. The Board of Directors and Management have a responsibility to recover from such incidents in the minimum amount of time possible.

This requires careful preparation and planning. A Project Manager is normally appointed to lead the team responsible for developing and maintaining the organisation's Business Continuity Plan (BCP).

It is necessary to control carefully the development of the plan and related strategies and procedures for the business recovery process.

Business continuity planning consists of the following steps:

  1. Identifying and prioritising business critical systems, functions and resources;
  2. Identifying critical resources;
  3. Identifying potential threats and preventive controls to mitigate risk;
  4. Designating responsibilities;
  5. Implementing and maintaining the Business Continuity Plan, and
  6. Validating the Business Continuity Plan.

Guidelines - Understanding Risk

We live in an unpredictable world. No matter how effectively a business protects itself through insurance, there are always some risks that cannot be anticipated. With appropriate insurance, an organisation whose business has been interrupted by fire, flood, environmental damage, denial of access or terrorist action can always expect to recover part of the costs - typically the shortfall in gross profits for a specified period following the incident. However, insurance can never provide cost-effective security against the long-term or permanent loss of:

  • customers
  • brand value
  • share price
  • markets
  • quality
  • employee loyalty

The only effective protection against serious disruption of your business is Business Continuity Management.

This risk control guidance is designed to help you to understand how to alleviate the effects of an incident and how to develop a recovery plan tailored to the needs of your organisation.

Business Continuity Management

Business Continuity Management (BCM) is about having resilience to business interruption and just-in-case recovery procedures for business critical processes.

These recovery procedures take the form of a Business Continuity Plan (BCP) that includes the key actions, personnel and services needed to manage the incident and the recovery process. The breadth and depth of planning will depend upon the size and complexity of your organisation.

The pre-planning phase

You should start by asking yourself these questions:

  1. What size is our business? This has a bearing on how you organise into teams or indeed whether a full team structure is needed.
  2. What processes are deemed business critical? Prior knowledge about which parts of your business must be given recovery priority is fundamental.
  3. What resources will be required? You will need to make an early assessment of the likely costs of planning and recovery, and budget accordingly.
  4. Who should be involved? You will need to involve people with the right skills and experience.

Risk assessment

Risk assessment is about understanding the business interruption risks to which the organisation is exposed, the likelihood of occurrence and the probable level of impact. The benefit of carrying out a risk assessment is the assurance that appropriate loss prevention and damage mitigation arrangements are in place.

Risk assessment is a required procedure for health and safety in the workplace and the same formula should be applied for business continuity.

The purpose is to:

  • identify the risks (fire, flood etc.) and threats (loss of power, communications etc.) to your business;
  • review the controls in place to reduce risks and threats;
  • reduce the risks and threats, where necessary, by implementing further controls; and
  • assess the business impact should a loss happen.

The main areas that should be addressed are 'hardware' – the physical arrangements in place, for example fire detection and suppression devices and security equipment, and 'software', for example the human element, procedures, training and working practices.

Risk assessment is accomplished by a combination of physical inspection and by reviewing procedures and practices in place. The outcome of the process is knowledge of business interruption exposure and resilience combined with the opportunity to make necessary improvements. Listed below are the major headings for evaluation with examples of the issues to be investigated.

Organisation

Activities and processes

  • How immediate would be the effect of interruption?

Premises

Specialised or standard

  • What alternatives are available?
  • Does location matter?
  • How long to re-build?
  • Is there likely to be planning opposition?
  • Special conditions?
  • Difficulties with site access?

Key personnel

Their status within the organisation

  • Are they deputised or shadowed?
  • Do they have unique knowledge or contacts?

Customer base

Market place

  • Are you a just-in-time business?
  • How fierce is competition?
  • What is the level of customer loyalty?
  • Are there seasonal / periodic peaks?

Utilities

Electricity, gas, water

  • What is your business reliance upon these?
  • What is the reliability and resilience of supply?
  • What are your fallback arrangements, e.g. UPS (uninterruptable power supplies)?

Plant and equipment

Key items

  • Are there production or process bottlenecks?
  • Are there long lead times?
  • What is the history of breakdown?
  • Are strategic spares kept, separately?

Stock and materials

Including raw materials, finished stock and consumables

  • What are the lowest quantities/highest demand levels?
  • How long to replace?
  • Is direct supply to customers possible?

Technology dependency

Processes reliant upon IT and telecommunications

  • Is there adequate physical protection?
  • How long for system hardware and software replacement?
  • What service level is contractually provided?

Data

Hard copy and electronic

  • Is there sufficient confidentiality, integrity and availability?
  • Are backup arrangements for data and software appropriate?

Suppliers and subcontractors

Reliance on suppliers and contractors

  • Are these vital to your operations?
  • Do alternatives exist?

Business Impact Analysis (BIA)

In the aftermath of a disaster there will be competing requirements for recovery. Business impact analysis provides focus for prioritised recovery of business-vital activities, functions and processes. The purpose of BIA is to:

  • identify and evaluate business critical processes;
  • prioritise reinstatement or replacement needs;
  • identify resource requirements to achieve this.

The easiest way to achieve this is to list all your processes and decide (yes or no) whether or not you consider them to be business-critical. Where the answer is 'yes', apply a scale (say 1-3) to decide upon the priorities and required time frame for recovery.

Decide what facilities and resources would be required to achieve the recovery priorities. Decide whether these realistically could be made available within the time frame. Use this as the basis for plan strategy development.

Planning phase

Developing BCP

The prime requirement is to document or otherwise record the BCP to ensure its availability in the event of disaster.

The plan should include:

  • brief overview of objectives and strategy;
  • team(s) membership, roles, responsibilities and procedures;
  • supporting database information.

Objectives and strategy

The BIA process will have provided the base-line information on which to set the objectives and build the strategy that should identify:

  • recovery requirements and timeframes;
  • alternative routes to recovery (depending upon the severity of the incident).

Examples of possible strategies include contracted assistance, alternative premises, alternative suppliers, direct supply, standby facilities.

Teams

Large organisations will require separate teams to plan and manage recovery; these may consist of:

  • management teams;
  • emergency response teams;
  • facilities recovery teams;
  • technology recovery teams; and
  • business recovery teams.

Smaller businesses may require only two teams:  emergency response and recovery management teams.

Very small organisations may require only a single team. However, consider the potential workload that is likely to fall upon key individuals in the event of a major incident.

Typical roles and responsibilities are set out below:

  • Management team - to have the situation evaluated, invoke the plan, command and control, media handling.
  • Emergency response team - to deal with evacuation, damage evaluation etc.
  • Facilities and technology recovery team(s) - to provide the like of accommodation, furniture, plant, equipment, consumables.
  • Business recovery team(s) - to recover the business critical processes, as pre-defined.

These roles and responsibilities must be clearly defined but be sufficiently flexible to respond to unanticipated events and circumstances. There should be deputies to cater for absence.

Invocation and communication

Pre-define circumstances for plan invocation; give particular consideration to business-closed periods. Pre-define responsibilities within the plan. Use a cascade or communication chain system when dealing with a large number of people.

It is essential that communication be made with all potentially interested parties, as soon as possible, but in a controlled manner. The BCP should include contact details and whose responsibility this is - ensuring that it is the right message. Those with whom early contact is essential are likely to include management and recovery teams, employees, shareholders, suppliers, customers, media, public authorities, sources of assistance, for example: disaster recovery service suppliers, building contractors, facilities and equipment suppliers, emergency glaziers and plumbers, utilities companies.

Awareness and trainng

Training will act as a basis for proving the ability of the team(s) to react effectively to a real disaster. Such training will arise as an element of the plan preparation process.

Check the assumptions underlying the plan strategy during the planning process to validate the viability of the plan procedures and resources. This is best achieved by the use of informal ‘talks-through’ of the procedures, adjusting and revising as required.

Once the talk through has established the appropriate outline direction of the recovery plan, a walk-through can take place.

The walk-through takes the verbalised actions agreed in the talk through and transfers them into the physical reality of the recovery strategy. As with all training and exercising, the opportunity should be used to update, amend or add to the BCP.

Security and availability

The BCP needs to be available, no matter the circumstances. The size of your organisation will dictate how many other people will need a copy of all or part but, the more copies in circulation, the more complex it will be to maintain the plan.

Ideally, a full copy should be kept offsite, secured and available at all times and circumstances.

Recordkeeping

Regardless of the circumstances of BCP invocation, it is imperative to keep a record. Benefits include the ability to carry out post-event checks on the efficacy of the BCP and to capture details of expenditure to validate possible claims against insurers and/or third parties.

Each team member should record:

  • all pertinent actions;
  • resources used;
  • expenditure. 

Post planning phase

Maintenance

Training does not end when the plan is installed. It will be necessary to include arrangements for:

  • change and succession management with allocated responsibilities for the strategy, objectives, roles and responsibilities, procedures and supporting database information to be monitored, reviewed and kept up to date;
  • the plan to be exercised regularly;
  • identified shortcomings/required alterations addressed;
  • ongoing training for team members.

Exercising the BCP

Create a programme of periodic exercises, each designed to try out one or two components of your plan.  (The invocation procedures are an obvious and important example). Certain elements of Business Continuity Plans lend themselves more readily to physical simulation.

For example, IT recovery plans that are based upon a contracted response provide just such opportunities. Desk-top simulations of loss scenarios should be used to exercise the integration of the component plan elements. As with all training and exercising, the opportunity should be used to up-date, amend or add to the BCP.

Review and update arrangements

All elements of the process will provide benefit from being made subject to formal review procedures. At the very least, the recovery strategy, procedures and supporting database need to be reviewed annually; for most organisations, the need will be for more frequent reviews, particularly where there are changes of process, product, personnel etc.

In essence, you need to:

  • establish BCP review criteria, including periodic review and key change events;
  • maintain the plan by monitoring activities, establishing update processes and audit procedures;
  • incorporate distribution and control procedures.

Your Business Continuity Plan could mean the difference between survival and failure. However, it will be only as useful as the last time it was reviewed and updated ...

Working Smart

By Lee Rossini

A brand identity is an important factor in the success of a financial advice business; it is essential to be noticed in a competitive environment. Clients are becoming increasingly discerning about the businesses they trust with their financial well-being. Therefore, building a brand that resonates with your target audience is essential not only for attracting clients but also for fostering trust and credibility. Here are some guidelines on how you can successfully create a strong brand identity.

CPD

Subscribers are reminded that they can now complete their monthly CPD quizzes and claim CPD hours. For more on accessing the CPD quizzes, please click on the CPD FAQs button on the top bar of the screen. 

 
We use cookies to give you a personalised experience that suits your online behaviour on our websites. Otherwise, you may click here to learn more, or learn how to block or disable cookies. Disabling cookies might cause you to experience difficulties on our website as some functionality relies on cookie information. You can change your mind at any time by visiting “Cookie Preferences”. Any personal data about you will be used as described in our Privacy Policy.