Let’s talk business continuity. Primarily used for crisis situations – when catastrophe strikes – Business Continuity Plans (BCPs) or Business Interruption Plans (BIPs) are used to focus on activities that should reduce, and sometimes mitigate completely, the impact of the crisis situation being faced. Prioritising ‘business critical’ activities, it will set out clearly what needs to be done and what process to follow to enable continuity of service for internal and external stakeholders.
Yes, we’re talking crisis situations – for example, cyber-attacks, floods, fires, terror attacks, fraud and dare I say it, pandemics. But as with each of the topics discussed in this series, the process of putting it together is often invaluable for dealing with any kind of challenge or business disturbance. Just by going through the process, you will often identify areas of improvement in everyday activity that can help you prepare and often ‘head off’ problems before they arise. The point here though, is that if you can’t ‘head it off’/don’t see it coming, you also have a plan for dealing with it.
Let’s be honest, very few people saw the Covid 19 pandemic coming round the corner and if they did, very few knew quite the impact it would have. But when the world changed, seemingly overnight or at least extremely rapidly, those with a robust plan were able to use it quickly and efficiently to adapt to a whole new way of working thereby reducing the impact on their teams and their service delivery.
There is lots of guidance and many templates available for BCPs and many national infrastructure bodies have made these applicable to voluntary sector – a quick internet search will bring these up. But wherever it comes from they will usually follow a similar pattern of steps:
- Risk Assessment – identify the risks (risk registers are a good place to start, see previous blog in this series); and ask the following:
- Who could they impact?
- What would they impact? (systems, processes, services)
- How would they impact? (disruption, service suspension or closure, service displacement etc)
It is important to understand the implications of this – you will want to analyse the cost, give your insurance cover a review, and so on…
- Identify any steps for prevention and/or mitigation and put these in place.
- Create a crisis communications plan framework – communications will need tailoring to whatever the situation is but a well thought out framework will make this much easier when time is tight and priorities compete. Allocates roles and responsibilities, design a ‘comms tree’ (who will tell who what), draft a multi-directional internal comms network (how will key messaging be communicated but also received internally), and pull together some draft messaging for possible scenarios that can be tweaked with relative ease when needed.
- Create a crisis management/response plan – communications are one aspect, but what actual steps will you take to respond and recover? Include timelines i.e. within 24 hrs XXX will happen, within 48 hrs XXX will happen, and so on. Include who will do what.
Now consider your appendices – this is a ‘grab and go’ document.
Apply this test – if this was the only document we had left, what should be in there? Telephone numbers, email addresses, passwords etc. And now, consider GDPR regulations and document security… You will want to consider how the document is stored – could you get to it under a cyber-attack, or if the building wasn’t accessible? If stored digitally, who needs access and how is it protected?
And when it’s finished – test it. Does it actually work? How often will it be reviewed and updated?
There’s lots to consider and this is not a small piece of work, but this is an essential document – one that circa ¾ voluntary sector organisations in Suffolk didn’t have last year according to our annual research. As leaders and management committees we have a duty to our teams and all our stakeholders to ensure organisations are as well placed as they can be to deal with these situations as quickly and as impactfully as they can – this allows us to do that. And given the amount of work and depth of thought it requires, making it part of the annual strategic cycle is a ‘must’.
One certainty with crisis situations is that when they do come, time is in short supply, immediate response is usually required, and decisions will need to be prioritised and made without the usual ability to ‘mull it over’ for a while. Therefore, having a plan will not only point the management team in the right direction but will provide the reassurance that the process has been given due consideration and having been tested, can be relied on – and that reassurance is invaluable.
This blog is the 5th in a 6-part series on challenge and crisis – next time, we’ll focus on reserves so watch this space and do get in touch if there are other topics you would like to see.
Hannah
