Did your organisation’s Business Continuity Plan provide meaningful guidance during COVID and the recent flooding events?

Was it even referred to? If it was, has it been reviewed since then?

Most BCPs include a lot of theory but are often too bulky to provide any meaningful guidance during a disruption event.  In many instances they are developed with external assistance and whilst including useful background information, they generally aren’t developed in such a way as to assist in managing the actual continuity of business operations immediately following a disruption event.

A BCP should be developed as part of a process and not as a stand-alone document.  This includes the following:

  • Consideration of the organisation’s Critical Services / Functions. This is generally facilitated via a workshop with key stakeholders to commence the Business Impact Analysis process and includes a review of key processes whilst identifying the Critical Functions and current and required controls.
  • Determination of the Maximum Acceptable Outage times for Critical Functions, being the maximum period of time that the organisation (and more importantly, its customers) can tolerate the loss of capability of a critical function, asset or IT application.
  • Once critical functions have been identified, a threat risk assessment workshop needs to be undertaken on the Critical Functions to identify, in view of the controls the organisation currently has in place (e.g. work arounds, redundant plant etc.), which of these presents the greatest risk to delivering its services within Maximum Acceptable Outage times.
  • The output of this threat assessment workshop is generally a Critical Functions Risk Register that establishes priorities for all future actions in regard to the development of the BCP.
  • BCP documentation must then be designed to be user-friendly, incorporating response, continuity and recovery activities, related roles and responsibilities, resourcing requirements and organisational interdependencies that are specific to the organisation’s needs.

It is always advisable to review a BCP after a business disruption event whilst the event is still fresh in stakeholders’ minds.  This ensures that learnings are captured and knowledge is retained within the organisation.  It is also a good opportunity to review BCP documentation to critically assess what did not add value and is thus not required.

The most useful BCP is one that is current and actually provides guidance to end users both before and during an event.

Please contact QRMC for more information.