Every organization is at risk from potential natural and man-made disasters including:
Business Continuity Planning
Prepare Your Organization For The Unexpected
- Power and energy disruptions
- Communications, transportation, safety and service sector failure
- Cyber attacks and hacker activity
- Environmental disasters such as hazardous materials or chemical spills
Creating and maintaining a Business Continuity Plan will help ensure that your organization has the resources and information it needs to deal with an emergency situation.
What is a Business Continuity Plan?
A Business Continuity Plan (BCP) is a means of preparing your organization for the unexpected and ensuring your business survives in the event of a serious loss or incident. Along with crisis management and disaster recovery, a BCP forms part of an organization’s overall risk management strategy.
How will your organization react if your premises are temporarily or even permanently lost due to a fire or flood? What if someone is seriously injured on your premises? Where will you set up operations in the event of a fire? How will you inform your clientele? Will you be able to access important documents and records? How will you communicate with employees? A Business Continuity Plan can address these, and many other questions.
Why implement a Business Continuity Plan?
A BCP assists organizations in restoring normal operations within a manageable timeframe and at a manageable cost, thus ensuring the organization’s ongoing ability to serve its clients, to protect the safety of staff and volunteers, and to prevent accidents. Whether your organization is a charity, a non-profit, or a for-profit enterprise, you want to minimize long-term damage in the event of a disruption. Smaller organizations may sometimes overlook the importance of developing and implementing a BCP, but lack of planning for such an eventuality can result in:
- Loss of existing customers
- Lost opportunity to gain new business if you are not up and running as quickly as your competitors
- Permanent damage to your reputation
- Loss of key staff and volunteers who may move on during the down period. Your organization may not easily recover from this loss of human capital
- Unexpected capital outlays leading to long-term financial difficulties—perhaps forcing you to shut down operations permanently
- Injuries to staff or visitors on your premises.
Putting a Business Continuity Plan in Place
Implementing a cohesive Business Continuity Plan involves adopting a business continuity policy that clearly defines the role of management personnel in developing, testing and maintaining the plan. The following is provided as a general outline of what your Business Continuity Plan can entail.
- Establish a Steering Committee to oversee the project and to designate a project manager. The committee should be selected from senior management and be representative of all areas in your organization.
- The project manager will formulate a project plan and project timetable. The project manager, together with the Steering Committee, should outline those who will be contributing to the project.
- The Steering Committee will oversee the implementation of the plan in the event of an incident. The committee will provide strategic direction and communicate essential messages.
Risk Assessment and Business Impact Analysis
A Business Impact Analysis (BIA) helps to identify the internal and external impact of disruption to an organization’s normal business operations. Steps in a BIA may include:
- identifying the organization’s mandate and critical aspects
- identifying services and products and ranking their importance or priority for continuous delivery or rapid recovery
- identifying impacts of disruptions
- identifying areas of potential lost revenues
- identifying additional expenses
- identifying intangible losses
- insurance requirements
- identifying internal and external dependencies.
Uncovering ‘what could go wrong’
Of course, it would be preferable not to experience a loss in the first place, and while you can never eliminate the possibility of a loss, important steps can be taken to mitigate or control the hazards that face your organization. A risk control program, which includes carrying out a risk assessment helps you learn about the risks your organization faces and allows you to put in place a business resumption or business continuity plan that is specifically tailored to your situation.
Identifying Potential Scenarios
The impact of various types of losses on operations, systems, and various relationships (both internal and external) need to be assessed for the more likely scenarios.
- How long can the business survive without access to key systems or facilities?
- What will be the impact on revenue?
- What type of impact can the organization withstand?
- How resilient are systems, data, and other processes?
Developing the Plan
In this step, the plan is established and documented. The plan will define the roles and the responsibilities of key personnel and any changes to procedures. This plan can be broken down into two parts:
The first part of the plan outlines procedures for the first 24-hours following an event and should include details on:
- Evacuation procedures: includes where to evacuate to, who is in charge of evacuation (and ensuring that everyone is out of the building) and who will contact emergency services;
- Personnel: the people who are designated to liaise with emergency services, staff, visitors, and media if necessary;
- Meeting places for staff and visitors: what facilities should any temporary accommodations be equipped with (bathrooms, telephones, etc.);
- Treatment of any injuries: who is trained in First Aid, where are First Aid kits kept, where will they be treated, counseling, incident reporting, etc.;
- Hazardous substances: dealing with any hazardous substances such asbestos or other chemicals;
- Communications: who needs to be informed? A telephone tree may be created. A telephone tree ensures all relevant people are informed and does not leave one person to make all the telephone calls. As illustrated in the chart below, every person need only make two telephone calls;
- Mitigating the loss: protecting property, removing salvage, removing debris, securing the site;
- Important contacts: contacting service providers to disconnect/reconnect services as appropriate; contacting any other relevant local authorities; contacting your insurer to report the loss.
This part of the plan comes into action once the full extent of the disaster is known, and outlines procedures and requirements for:
- Premises: type of building, location etc.
- Furniture: what is needed and who can supply it?
- Equipment/Machinery: including computers, phones, stationery, etc: what is required and where is it available?
- IT contingency: outlining how to restore vital systems. If IT has been outsourced, it is important to ensure that your organization can still access critical files in the event of an emergency affecting systems. These and other requirements should be specified in the contract with all service providers.
Implementation, Testing & Maintenance
- Once the plan has been created, it needs to be tested regularly to ensure that the contingency procedures and processes put in place function as intended and that there are no important issues left unaddressed. How the testing is done will depend upon the recovery strategies that have been put in place.
- Both the plan itself and the risk assessment/impact analysis need to be reviewed periodically to ensure they appropriately address the risks actually faced by the organization.Any training that is necessary under the plan should be implemented.
- It is important to ensure that the plan is reflective of the current systems and procedures. Any time a change is made, the recovery plan should be evaluated to determine if any changes to the plan are necessary.
- Every member of the Steering Committee and all key personnel should have a copy of the plan and the telephone contact tree (preferably a wallet-size version).
- Copies of the plan and telephone tree should be stored at a secure off-site location.
- Copies of the plan and telephone tree stored onsite should be kept in a fire resistive box or cabinet.
- Communication procedures are an essential part of the plan, e.g., a telephone tree to advise all employees of appropriate actions in the event of an emergency.
- How will communication with the media be handled?
- Keeping all employees, volunteers, clients and any other interested parties apprised of your progress towards full business resumption is a vital task and important for preserving relations with these groups as well as with the public in general. Communications problems can potentially lead to long-term damage to your organization and irreparable damage to your reputation.
If your organization is unable to deliver services and/or products, the consequences could be severe and far-reaching. A BCP plan will help you moderate your risk and allow you to continuously deliver the products or services required by your clients.
Ecclesiastical Insurance can help. Insurance and risk management are two sides of the same coin. At Ecclesiastical, we believe that risk management is about providing practical support to help you run your organization safely. Our approach is to take an active role in preventing loss, and our risk control specialists are highly skilled at performing a detailed risk assessment that will help you identify, manage, and minimize hazards and risks. This risk assessment process includes a building(s) valuation that can be used to help you determine the appropriate amount of insurance for your organization.
Insurance is there to protect when things go wrong, and it works best when it enables people to get on with their normal activities as swiftly and smoothly as possible. This is where Ecclesiastical’s insurance cover and claims service excels. We do all we can to put things right quickly. However, we also know there’s only so much that reactive measures can do to ease the financial, physical and emotional disruption that follows any incident that results in an insurance claim.