When considering the risks of a business, there are two processes to be followed. The first a detailed risk review considers the operational risks of the business (normally the systems and internal workings) and the second is the Disaster planning which addresses major calamities.
Disaster planning or Business Continuity Planning (“BCP”) is often a subject that businesses and directors more particularly shy away from. Yet there is a wealth of data to suggest that businesses hit by such a calamity often do not survive; insurance, often posited as the main protection, is rarely sufficient to tide businesses over. So the old adage has it, failing to plan is really planning to fail!
What is Business Continuity Planning?
BCP entails taking a cold hard look at your business and its processes and setting down in print the disasters which could affect you such as fire, flood, loss of systems or even key people. Then for each risk set out a plan of what would or should happen immediately after the calamitous event.
It should be noted that these risks are not limited to the loss of your computer systems, which is simply one such risk. However, for many service businesses this may in fact be all they need to consider. That is how can I set up again tomorrow and download all my stored data. For many businesses, however, the issues will encompass restocking, finding new premises and possibly new production machinery.
A third area of BCP should identify all the people issues. Who should be contacted immediately, have you accounted for all your team and what further support and perhaps counselling should be laid on.
Business Risk Reviews?
Alongside developing BCP strategies, it would be a good idea to consider all the risks faced by the business – not merely the disasters involved in BCP. Charity Trustees are advised by the Charities Commission to undertake a regular review of the risks to their organisation and diligent trustees comply. There is no such guidance for Company directors but arguably the need is as least as strong as failure could result in loss of their jobs and possibly wealth if they are shareholders.
The approach is fairly simple. The review needs to list all the risks usually by business function – eg Sales, Production, Accounts, Governance and Legislation. Once scheduled, note the controls in place and actions to address perceived shortcomings. Last rank the risk High, Medium or Low. Ideally, this review should be considered by the Directors at their regular Board meetings in the same way they should be looking at health and Safety issues.
The process for BCP
Whilst every business is different and will determine different levels of risk, the steps involved are broadly the same:-
BCP Approach:
- Identify the broad categories of risk eg loss of buildings, data, staff or suppliers
- For each identified risk, put yourself in the position of the event having just happened, what do you do and what information would make your task easier? Who do you need to contact and what information do you need to provide to enable a new service to start quickly. So you may be documenting some or all of the following:-
- Estate agents who deal with commercial property
- Suppliers to re-equip or re-supply your warehouse. Ensure you have full specifications of all equipment and products. Perhaps you will need to outsource part of your operation, to document potential outsourcing companies.
- Staff list and contact details
- Customer details
- Ensuring that you can recover or restore the business systems quickly.
- Once documented, give copies of the plan to key personnel and ensure that copies exist offsite.
- Test your plans and systems backups on a regular basis.
