Businesses in today’s competitive environment can be judged on their ability to operate and provide a service at all times. The recent Buncefield oil depot blaze in Hertfordshire, the London bombings and high-profile floods are all events that have had dramatic effects on business. Despite this, according to a recent survey, 20% of organisations do not have a business continuity plan.
Some might think that only large institutions and organisations need a business continuity plan. Not so. Every company, whatever its size, needs to have back-up processes in place. Less than a week after the US terror attacks of 9/11, the major financial institutions in Manhattan that had been severely affected by the terrorist attacks were reopened for business. This was due largely to sophisticated business continuity planning.
A plan is essential to cover all critical systems. The aim of any plan is to move the organisation from its disrupted status towards a return to normal operations. Employers should not be fooled into thinking a business continuity plan is only necessary to prepare for major environmental disasters or terrorist attacks. Businesses should also plan for other emergency situations that are far more likely to occur, such as workplace violence, loss of utilities, equipment failure and technical sabotage.
Employers should be mindful that a business continuity plan is not necessary only to protect its business from actual disruption: in today’s society, any self-respecting employee is asking the question: ‘Has my employer taken appropriate steps to protect me from potentially dangerous incidents?’
Although there is no specific law requiring employers to have a business continuity plan, existing health and safety legislation lays down the general principles to be followed by employers to govern the health and safety at work of employees. Companies and individuals can be held responsible to those affected by the company’s inability to cope and/or recover from a disaster. All organisations, whether public or private, have a duty of care and not having a business continuity plan can violate that standard of care.
Conducting a risk assessment is the first step towards identifying the key issues to include in a business continuity plan. Part of the risk analysis process is to review the types of disruptive events that could affect the normal day-to-day running of the organisation. Clearly, environmental disasters are a risk to everyone, but companies should also consider risks specific to their business and the wide range of other potential threats. Having identified each risk and its potential impact, an employer should formulate the business continuity plan to minimise or eliminate the risk.
Steps to implementation and fostering the right culture
Support for the business continuity plan must come from the top and have the backing of senior management. Proper consultation and communication with employees is absolutely essential.
Too often plans are made without proper consultation with the employees involved.
A business continuity plan may require employees to change their working patterns or practices in response to a disaster and they should understand that this may be the case. Some may be asked to take on additional roles and responsibilities as part of the business continuity plan, after individual consultations.
Above all, employees should understand the plan. This means that appropriate training should be provided to existing employees and be part of any induction programme for new employees.
This should cover areas such as how to report potential problems and raise the alarm, being clear about key personnel in the plan, evacuation procedures and perhaps the provision of a security card setting out emergency numbers to call in the event of a major incident.
Employers also need to communicate with other organisations they deal with, such as neighbouring businesses, key customers and clients. If your suppliers have a business continuity plan, you need to consider how they continue to provide a service in the wake of a disaster.
Don’t stand still
Any policy or plan is not static. All employers should regularly review their policies, including a business continuity plan, to ensure they reflect changes to the company, industry or to external events. Designate responsibility for maintenance and development of the plan to specific people so you maintain a focused approach.
Review your risk assessments, consider regular scheduled testing or, where possible, disaster simulation to ensure that the business continuity plan is effective.
Matthew Yates is partner and head of employment at DWF, Manchester
For more information
Coping with the big bang www.personneltoday.com/33511.article
Business continuity flaws exposed by bombings www.personneltoday.com/30868.article
SMEs continue to ignore business continuity issues www.personneltoday.com/31669.article
Global portal for business continuity and disaster recovery www.globalcontinuity.com/
Creating a contingency plan
Internal and external communications
How will effective communications take place if the mobile networks are down?
How will you get information to employees if the disaster occurs outside normal working hours?
How will you handle calls from relatives if the incident occurs during working hours? In the London bombings, one of the main challenges was to track down employees. Consider longer-term measures such as having telephone calls diverted to alternative locations or mail delivered to other premises.
Managing the media
Who is going to be the spokesperson for the organisation Ð have they been trained? More positive media coverage will be the result of a good business continuity plan.
How will you communicate widely to the public and customers? Should employees/customers receive an emergency communication giving them regular and up-to-date information on developments?
Is there information that can be pre-prepared on basic company facts – safety record etc – that can be released quickly to the media?
IT recovery arrangements
Consider procedures for back-up and off-site storage, protecting and replacing equipment and software.
What about data relating to customers and suppliers, employee information etc?
Is there an alternative site from which the business may be run temporarily Ð is the IT support in place?
Consider arrangements with your banks, company stationery, cheque books, credit cards, etc.
Details of key employees: if you are going to operate from another location, how will employees get there?
What facilities will they need?
Employees may also need assistance with loss of personal effects such as house and car keys and changing home locks if keys have been lost.
Medical support may also need to be given.
In the long term, the psychological impact of a disaster may become more apparent. Employees may need counselling not only in the aftermath but over an extended period.
Consider general security arrangements for damaged premises and alternative premises.
Do you need to liaise with the police?
How will papers and documents be kept secure? When an explosion occurred at the head office of a major bank, the surrounding streets were littered with papers containing confidential information Ð there was then an issue of breach of confidentiality and poor publicity.
Consider evacuation procedures, reception of the emergency services, rendezvous points for employees and central emergency numbers.