Imagine coming to work one morning to find some parts of your business or equipment destroyed by fire. This could have serious if not catastrophic consequences.
Many people don’t realise, for example, that the ongoing costs due to fire damage can eventually be four times the initial damage costs!
Amongst other things, this can be due to the loss of earning time, damage to your reputation, cancelled orders, uncertainty over whether you are still operating and customers moving elsewhere.
Contingency planning is another aspect of the Risk Management Process. It should be part of your holistic approach to protecting your business. Just as the Risk Management Process helps you identify risks, threats, severity and measures of protection etc., contingency planning gives a business the ability to respond quickly to an event, ensuring the impact of this event is minimised.
A well-documented contingency plan can ease the impact of disruption by making required responses and core business processes more readily apparent.
Contingency recovery procedures include actions, personnel and services needed to manage the incident and the recovery process. The detail in the contingency plan will obviously depend upon the size and complexity of your business.
The Contingency Pre-Planning Phase
You should start by asking yourself these questions:
- What size is your business? This has a bearing on how you organise into teams, or indeed, whether a full team structure is needed.
- What processes are business-critical? Prior knowledge about which parts of your business must be given recovery priority is fundamental.
- What resources will be required? You will need to make an early assessment of the likely costs of planning and recovery, and budget accordingly.
- Who should be involved? You will need to involve people with the right skills and experience.
Assessing The Risk Involved
You should also carry out a risk assessment analysis through a combination of physical inspections and by reviewing business procedures and practices you have in place. The analysis will highlight possible areas of business interruption exposure and resilience.
Listed below are the major headings for evaluation with examples of the issues to consider:
The organisation: Activities and business processes
How “immediate” would the effect of interruption be?
Premises: Specialised or “standard”. What alternatives are available, does location matter, how long to re-build, is there likely to be planning opposition, special conditions, difficulties with site access?
Key personnel: Are they deputised or shadowed? Do they have unique knowledge or contacts?
Customer base: market place. Are you a “just-in-time” business, how fierce is competition, what is the level of customer loyalty, are there seasonal/periodic peaks?
Utilities, electricity, gas, water: What is your business reliance upon these, what is the reliability and resilience of supply, what are your fallback arrangements eg. UPS (uninterruptable power supplies)?
Plant and equipment: Key items. Are there production or process “bottlenecks”, are there long lead times, what is the history of breakdown, are strategic spares kept separately?
Stock and materials: This includes raw materials, finished stock and consumables. What are the lowest quantities/highest demand levels, how long to replace, is direct supply to customers possible?
Technology dependency: Processes reliant upon IT and telecommunications. Is there adequate physical protection, how long for system (hardware/software) replacement, what service level is contractually provided?
Data: Hard copy and electronic. Is there sufficient confidentiality, integrity and availability, are back-up arrangements for data and software appropriate or off-site?
Suppliers and sub-contractors – Reliance on suppliers and contractors. Are these key to your operations, do alternatives exist?
Once you have analysed the areas which are crucial to your business’ continuity, you will then need to consider how an event or disaster will impact on your operations and the business as a whole.
Business Impact Analysis
In the aftermath of a disaster, there will be areas of your business which will compete for priority when it comes to getting your business operations back on track.
A Business Impact Analysis (BIA), as part of your contingency plan, provides a focus for recovery of business-vital activities, operations and processes. The purpose of a BIA is to:
- Identify and evaluate business-critical processes
- Prioritise what needs to be given attention
- Identify resource requirements to achieve this.
The easiest way to start your BIA is to list all your business processes and decide (yes or no) whether or not you consider them to be business critical. Where the answer is “yes”, apply a scale, for instance one to three, to decide upon the priorities and required timeframe for recovery.
Highlight what facilities and resources you would need to achieve the recovery priorities. Decide whether these could be realistically made available within the timeframe.
When developing your contingency plan, a prime requirement will be to record the plan and keep it easily accessible in the event of disaster. The plan should include:
- Brief overview of objectives and strategy
- Team(s) membership, roles, responsibilities and procedures
- Supporting database information.
Objectives and Strategy: The BIA process provides the basis on which to set the objectives and build the strategy that should identify:
- Recovery requirements and timeframes
- Alternative routes to recovery (depending upon the severity of the incident).
- Examples of possible strategies including contracted assistance, alternative premises, alternative suppliers, direct supply, stand-by facilities.
Teams: Large organisations usually require separate teams to plan and manage recovery; these may consist of management, emergency response, facilities recovery, technology recovery and business recovery teams. However, smaller businesses only require one or two teams, such as emergency response and recovery management.
The drawback to a single team, however, is the potential workload likely to fall upon key individuals in the event of a major incident. One person may be required to shoulder the responsibilities which would typically come under two or more teams in a larger organisation.
Regardless of whether you have one or two teams, there are certain responsibilities and roles which must be assigned in the event of an incident or disaster. These include:
Emergency Response Team: To have the situation evaluated, invoke the plan, command and control, deal with evacuation, damage evaluation, etc.
Recovery Management Team: To organise any new premises, furniture, plant equipment, consumables and recover the business critical processes.
These roles and responsibilities must be clearly defined and allocated to the appropriate person/team, but be sufficiently flexible to respond to unanticipated events and circumstances. There should be deputies to cater for absence.
Awareness and Training: It is important to make sure your team(s) is trained in the appropriate areas so it can be effective in an emergency situation. It is also vital staff know how the contingency plan will fall into place. This can be done by taking staff on a “walk-through” session of the plan.
Security and Availability: The contingency plan needs to be available, no matter what the circumstances. The size of your business will dictate how many other people will need a copy of all or part of the plan.
Ideally, a full copy should be kept off-site, secured and available at all times and circumstances.
Event Recording: Regardless of the circumstances of how the contingency plan is put in place, it is imperative to keep a record of expenses. The benefits of doing this include having a record of details of expenditure, information which will be required for validating an insurance claim. You should make sure you record:
- All pertinent actions
- Telephone calls made and received
- The time of the action or call
- What was said and by whom
- Resources (if any) used
For your contingency plan to be effective, once it has been developed, you should continue to expand and maintain it. This is part of the post-planning phase. The following is an example of ways to keep the plan current and effective.
Maintenance: Training does not end when the plan is finalised. It will be necessary to include arrangements for:
- Change in staff and management with responsibilities and roles allocated to key personnel who will also maintain and update information.
- Exercising the plans regularly;
- Identifying shortcomings and ensuring required changes are incorporated;
- Ongoing training for staff/team members if necessary.
Exercising the Plan: Create a program of periodic exercises designed to try out one or two components of your plan. Certain elements of the contingency plans lend themselves more readily to physical simulation.
For example, IT recovery plans provide just such opportunities. “Desk-top” simulations of loss scenarios can be used to exercise the integration of the plan with the recovery phase. As with all training and exercising, the opportunity should be used to update, amend or add to the plan.
Review and Update Arrangements: All elements of the process will benefit from being subjected to formal review procedures. At the very least, the recovery strategy, procedures and supporting database need to be reviewed annually, particularly where there are changes to product, personnel etc. In essence, you need to:
- Establish contingency plan review criteria, including periodic review and key change events;
- Maintain the plan by monitoring activities, establishing update processes and audit procedures;
- Incorporate distribution and control procedures.
Your contingency plan could mean the difference between survival and failure. However, it will be only as useful as the last time it was reviewed and updated.