Ordinarily we take a functioning society for granted and so carry on life and business assuming that we’re invulnerable to attack. The reality, sadly, is that we’re often just a hair’s breadth away from some form of catastrophe.
While terrorism is thankfully a rare occurrence, situations involving fire, the untimely demise of a business owner, a workman cutting a critical cable, or a PR disaster are possible and firms that fail to prepare for the unexpected are sleepwalking toward a cliff-edge.
And failures do happen. A recent survey from the Federation of Small Business reckons that only 35% of small businesses and the self-employed have a plan in place to cope with potential disruption risks to their business operations or their supply chains.
Speaking for the Business Continuity Institute (BCI), Brian Kinch, director of risk management and ecosystem risk at Visa, says that 80% of businesses generally never fully recover from a crisis where they have been insufficiently prepared. “Some go out of business such as Ratners Jewellery after its owner admitted that they sold ‘crap’, and were unable to salvage themselves after the ensuing reputational damage; some continue in business but never return to their prior performance (BP following the Deepwater Horizon disaster); some get acquired (Monsanto by Bayer, after the controversies surrounding alleged biopiracy); and some re-brand in an effort to distance themselves from past events (such as Blackwater security services to Xe following their involvement in a scandal during the Iraq war which led to over 100 civilian casualties).”
It’s impossible to prevent disaster, but businesses can prepare for recovery through a business continuity plan. Chris Selby, sales and specialist services director at the BPIF says that waiting for the unexpected is not an option: “Firms need to think of the unthinkable and by following best practice as outlined in the internationally recognised standard for Business Continuity Management System (ISO 22301) they will reduce risk and be fully prepared should business activities be disrupted.”
Business continuity management is based on the principle that it is the key responsibility of an organisation’s directors to ensure the continuation of its business operations at all times. To do this necessitates having suitable plans, processes and practices in place to meet most eventualities.
As Selby comments: “A continuity plan is something that your stakeholders, including print buyers, will expect you to have, and your insurer will almost certainly want you to provide as part of your responsibility toward risk management.”
But there is another benefit, and it’s one noted by Ann Aken, director at Specialized Print – that it’s good for business. As Aken comments, “our business continuity plan has most certainly helped us to remain a preferred supplier (especially to local authorities) and win more business.” Her position is bolstered by her belief in the uniqueness of her company when she says, “that the majority of printers are not prepared for disaster situations and do not have a business continuity plan in place.”
Prepare for everything
Gordon Brown, a senior consultant at PlanB Consulting, a business continuity, crisis management and emergency planning consultancy, thinks that listing every eventuality is almost impossible. He says: “The risk profile of firms can vary for a number of reasons including, scope and scale of a business, profile, type of operations; common themes are not always easy to read across every firm.
“However, we would highlight the most pertinent risks across many firms are loss of data (personal or business critical) and cyber security breaches or ‘attacks’. Physical site issues are, however, also very relevant for printers, including floods or denial of access situations.”
Kinch believes that the business continuity process is not necessarily about planning for a specific event, “but about planning for what to do in the event of any incident impacting one or more of four key areas: people, premises, technology and processes. For print this might include power supply interruption, supplier or distribution chain failure, denial of access or widespread sickness among key staff. But planning for specific events should, as a rule of thumb, be subordinate to planning for disruption generally.”
To an extent, this means that a plan should be based on the internal and external issues that are relevant to the company, and relevant interested parties and what they need and expect from the business. From there the plan should consider the key processes that deliver these needs and what needs to be done to keep them going (or recover from a problem). Of course, interested parties go beyond customers – there are many stakeholders including staff, suppliers, and landlords. They all still need to be paid, which will necessitate payroll and bought ledger processes being critical to any recovery plan.
It’s interesting that from an operational point of view, Aken, considers the risks to revolve around “major IT or equipment failure, failure in our supply chain, and high levels of staff or key staff absenteeism for unforeseen reasons”.
Even though total immunity is an impossibility, and as Selby notes there are limits to planning, he still says “all potential risks must be considered as part of the planning stage”.
He gives the example of a company failing to identify asbestos on their roof as a potential risk that could stop their business operations should the roof fail and asbestos is deposited throughout the press printing units. Is this really something a firm would think about? Where should the line be drawn?
Here Brown says that thinking outside of the box is essential: “If you look at recent incidents, many were unforeseen or very unlikely. For example, KFC almost ground to a halt due to a supplier change where an operational issue caused a business continuity incident and a media crisis.”
Putting the unthinkable to one side, Selby says not to ignore the obvious – fire, flood, client or supplier insolvency, vandalism, terrorism, equipment failure, and telecoms issues. Once identified, it’s up to the firm, as he puts it, to “decide what if anything you propose to do to address these risks”. Every company will differ in this regard as it depends upon how critical the risk is compared to the corporate appetite for risk.
Consider the impossible
Are the main risks to print human or from the physical? Selby is of the view that the risks are a combination of both. “This isn’t an ‘either/or’ situation; an effective business continuity management system needs to consider all types of risk and any combinations of these risks.”
This means looking at the very unlikely and not just recording the likely events, but also the unlikely “to ensure,” as Selby says, “they remain subject to review as circumstances and your own coping capacity and controls may change”.
Brown also thinks that both human and physical risks are closely linked: “Often a physical issue will have a major effect on staff, either through injury or psychological impacts such as stress or trauma.”
But thinking wider, Kinch says that it’s important to recognise “that each issue has a degree of uniqueness and the main risks, or the significance of impact, may differ from one event to another”. Consider a chain of events that starts with a technology or a process failure that happens on a Friday that may be relatively unremarkable. But if it is on the same day that monthly payroll is run, and prevents salaries from being paid, this may have a very significant knock-on impact for employee financial well-being.
Content of a continuity plan
At the core of a plan is the concept of risk management, which Kinch says should be centred upon evaluating threats or vulnerabilities and their likelihood and impact, and then finding a way to avoid, mitigate, insure against or face acceptance of the risk. He says: “The business continuity discipline is concerned with helping to ensure organisational resilience, and the capacity to withstand incidents and return to normal operation in an acceptable timeframe and condition, regardless of the issue.”
Of course, what is written into the plan will very much depend on each firm and the issues it faces, the needs of interested parties, key processes, identified risks and the controls that the firm subsequently introduces to cope with the threats. On this Selby says that it’s “critical to include an assessment of how soon you can actually recover key processes” should disaster strike.
But is there a set format? Brown thinks not: “There is no right or wrong way to write a business continuity plan as each should be tailored to the organisation and not just a list taken from the latest good practice guide.” However, he recommends including contact information; contact procedures; guidance and procedures on incident management and details of members of the incident management team; crisis communications support; and recovery guidance from different scenarios.
And when writing the plan, an open mind helps. As Kinch has seen, someone trying to gain credence for an unthinkable event for inclusion in the plan is likely to experience an uphill struggle. He offers an example: “Consider, pre-9/11, trying to plan for a dual air strike and the collapse of what had once been the world’s tallest building. Planning is about preparing to deal with the consequences in a people, premises, technology and process context, generally howsoever the issue occurred, and not trying to anticipate the most implausible sources of crises.”
A business continuity plan should be a simple, serviceable, and an accessible document that is maintained. It should be a living document which is regularly reviewed and maintained.
Further, firms should bring in help when needed. Specialized Print published its business continuity plan online on its website. A good overview of what Aken has planned for, the policy details that she’s contracted with a third-party disaster recovery service that’s been approved by the company’s insurance broker.
It’s easy to make classic mistakes in an environment where as Brown puts it, “an incident management team is under pressure internally and externally and is expected to make correct decisions”. The biggest problem from his standpoint appears to be that the belt and braces concept is taken too literally; he says he frequently sees plans with irrelevant information which are just about ticking boxes and don’t add any value.
Taking time to conduct a full business impact analysis and risk assessment will help understand the priorities of the business and areas of concern. “When the plan is written,” says Brown, “it is essential that members of the management team are trained and given support.”
And to Selby goes the last word: “Just writing and filing a business continuity document is akin to writing out an MOT test certificate for a car that hasn’t been inspected. While the operational plan is the outcome of assessment and development activities, staff need to engage and train with the plan that itself is subject to testing and evaluation, with continual improvement processes introduced.”
Planning for the unforeseen
Understand the business
Understand the business in terms of the potential threats to its normal operation. This is something that needs contributions from all staff. Look at every aspect of the business and think about the people employed, the facilities needed to work and how the product and service is provided.
Assess the risks
The threats to the business are easily categorised and although some seem improbable, it’s nevertheless good to consider them all:
Natural disasters - flooding caused by burst water pipes or heavy rain, or wind damage following storms.
Theft or vandalism - theft of computer equipment could prove devastating. Similarly, vandalism of machinery or vehicles could be costly and pose health and safety risks.
Fire - few other situations have such potential to physically destroy a business.
Power cut – virtually every system and operation requires some form of power - IT or telecoms systems, key machinery or equipment would be inoperable without a back-up generator.
Fuel shortages - shortages in fuel could prevent staff getting to work and affect the ability to make and receive deliveries.
IT or telecoms system failure - viruses, hackers or system failures could affect employees’ ability to work effectively. Plan also for failure of telephones and broadband.
Restricted access to premises – physical events outside of a firm’s control could restrict access to the workplace and therefore the ability to meet deadlines.
Loss or illness of key staff – it’s not unheard of for key members of staff to leave, be incapacitated or, worst of all, die unexpectedly.
Illness - an outbreak of an infectious disease among your staff could present serious health and safety risks.
Crises affecting suppliers – suppliers can and do fail and products go out of stock, it’s therefore sensible to use multiple sources of supplies.
Crises affecting customers - credit insurance and customer guarantees can offset a client’s inability to take or pay for goods or services.
Crises affecting business reputation – firms have been brought to their knees by misunderstood comments made public and others have failed because of reputational damage following official oversight.
Terrorist attack – while unlikely, there are real risks to employees and business operations that follow from a terrorist strike.
Develop a strategy and plan
Some risks are acceptable and can be ignored; others can be mitigated with a mutual arrangement with another business so that in case of disaster it will help out. Alternatively, some may attempt to lower all risks and become self-sufficient.
The plan that comes from the strategy is written in plain English so that all can understand it. Guidance on writing a plan can be had through a free piece of software - ROBUST - that is backed by several insurance companies. Visit robust.riscauthority.co.uk for more information.
Build in protection
Build redundancy into the business without adding too much extra cost. There’s no point renting a spare building or equipment just in case but knowing where it can rented in an emergency is key.
Plan for IT failures – especially for hard drives - which are inevitable. Back up data regularly, at least once a day, and keep the back-up offsite and accessible. Have back-ups for telephony and broadband with, for example, mobile phones on different networks with ample data packages which can be switched in if the landline of VoIP systems fail. Consider an arrangement with a neighbour – if close enough – to each have the ability to piggy back on the other’s broadband.
Look at scanning and filing documents electronically. Fast, double sided automatic scanners can turn paper into PDF files that can be backed up and which offer a searchable electronic archive. Scanning further spread the risk of loss.
Check on the business insurances, noting down policy details (and keeping them offsite). Apart from the obvious – premises, stock, vehicles, public and employers liability – also look at:
Directors and Officers insurance that covers negligence when running a firm;
Business Interruption insurance that pays to keep a business alive following a catastrophe;
Keyman Insurance that provides a sum of money following the death of a key person – co-owner or shareholder - to the surviving business partner(s) to keep the business afloat or to buy out the estate of the deceased;
Critical Illness Cover that pays out following the diagnosis of defined serious illness that invariably is terminal or life threatening;
Permanent Health Insurance that pays an income where the insured can no longer work.
Write policies and risk assess
Good polices and risk assessing threats may help forestall any obvious threats and may help lower insurance premiums as you present a lower risk to the insurer. Policies tell staff what to do in given situations - a bad weather policy informs staff of the effort level that is expected when trying to get into work and the pay/leave arrangements for when they fail to make it. Legal advice may be required for policies that affect employees.
Draw up a list of emergency contacts that includes key staff, the utilities (water, gas, electricity, telephone and broadband), employment agencies and key suppliers. Work out how calls can be diverted if there’s no access to the building to do so. Remember also details of the company accountant, solicitor and the tax / VAT office (with references). Don’t leave out neighbouring businesses in case they need to be informed. It’s also important to be able to contact customers – they need to know that the firm is still in business, especially if it’s relocated.
As they say the only way to really test a firewall is to have a fire, but disaster recovery plans need testing and must be kept up to date. Carry out a test without telling anyone that it’s a test. See where – or if – the plan falls over and fix accordingly.
Sources of advice