Business Continuity Planning: Where do we start?
Pete Holmes, Aviva Risk Consultant, answers everyone’s first question on how to plan for the unexpected.
Over the past 12 years, I’ve regularly visited Aviva clients to help with Business Interruption Insurance and Business Continuity Management (BCP). This involves gaining an understanding of how the business operates, where it earns its money, and what protections are in place. The process is very much collaborative one, with both broker and client, during which we work together to build a relationship, get a picture of the risk, and to offer any risk management help and advice we can.
Preventing big losses from small incidents
There’s no doubt that protecting the business against the impact of interruptions is of the utmost importance. Even a minor insurable incident, a small fire for example, can lead to a considerable impact on the business’s ability to provide its usual service levels to its customers – something which can result in a sizeable loss of profit. Business Continuity Management and Planning has been solidly proven to help minimise the likelihood of an incident occurring – or, if does occur, minimise its impact and maximise the business’s chances of making a fast and full recovery.
I often see businesses with a limited BCP, an out of date BCP, and surprisingly on occasions, no BCP at all. In fact, in a recent Aviva survey Footnote 1, 19% of businesses do not identify or document any key risks. This leaves them with no focus or clear priorities should an incident leading to an interruption occur. This would mean their down-time after an incident is likely to be substantially longer, while they sort out what they need to do – risking a serious loss of customers and market position.
So, Business Continuity Planning is key, and the single most important question I’m asked on this subject is “Where do we start?” The answer is Business Impact Analysis (BIA).
Four key factors that could prevent a crisis
Business Impact Analysis is at the centre of continuity management. It looks at four crucial areas, to provide a full picture of the threats to a business: the key areas to protect, and how to provide either increased protections in an area, or established work-arounds, to mitigate the impact of an incident.
- Threat analysis
Threat analysis is an important stage in the BIA process. This should involve all areas and concentrate on what could happen to stop, or seriously affect, the business’ ability to service its customers. Fire, flood and theft are all serious factors, but other issues including weather, denial of access, supply chain issues, and incidents at a key customer’s premises should all be considered.
The other three areas all need consideration, though some smaller businesses may merge two, or all three into one assessment.
Products and services
Products and services should be carefully examined. What are the key aspects to the business? A dominant product line or lines? A key customer contract? Each business will have its own priorities, and these are what the BCP should prioritise to protect the business.
Once the products and services have been assessed and a list of priorities made, we need to determine the Maximum Tolerable Period of Disruption (MTPD) – this is how long the business has to restore services to its customers before they might be expected to go elsewhere. From this, we can set a recovery time objective – a period for retrieval before the MTPD expires.
The third stage is to consider the processes needed to provide the prioritised products and services which were previously examined.
Following directly on from this, we need to identify the activities required to provide the processes for the recognised priorities. This will entail making a list of the staff and resources, equipment, utilities, raw materials etc that the processes require, to support recovery by the set recovery time objective.
Back to the question: this is where we start…
The BCP is built around the findings and priorities of the Business Impact Analysis, and should provide a concise, relevant and usable plan, to protect against issues from happening in the first place, assist in managing an incident if one does occur, and focus the activity afterwards to protect service to the business’ customers as far as is possible.
Without Business Impact Analysis, any plan would lack direction and priorities. And that’s why it has to be the answer to that often-asked “Where do we start?” question.