Preparing Your Business
Business continuity management
Every year businesses like yours suffer major disruption from a range of unplanned events and many never recover – but past experience from such incidents in the UK shows that organisations which have ‘business continuity’ arrangements in place are more likely to stay in business and recover more quickly than those that don’t.
Business continuity is about identifying risks which may interrupt the operation of your business and developing plans and arrangements to reduce those risks and ensure prompt recovery. There are many formal definitions of business continuity but they all centre around:
- assessing what might go wrong, and
- planning to minimise disruption should the worst happen.
The need for business continuity management
Successful businesses have the flexibility to prosper in changing conditions and are strong enough to survive should disaster strike. The ability to withstand serious incidents like flooding or fire, and to quickly reopen for business-as-usual, is critical. There is also a commercial benefit to consider: proven resilience and business continuity arrangements will distinguish your business from its competitors – companies with business continuity plans are more attractive to do business with.
For small businesses, the impact of disruptive events may be more significant since many such businesses operate in specialised markets where even a short interruption to business-as-usual can have a disproportionate effect – halting output and letting customers down. In addition, it is more difficult to absorb the financial impact of business interruption, making it harder for small businesses to recover even after returning to normal operations.
If you believe that ‘forewarned is forearmed’ then a small amount of time preparing for such incidents must be time well spent. In fact, can you afford not to prepare for disruption?
Follow the simple steps below to make a start on improving the resilience of your business.
Business continuity management – where do I start?
There is no ‘dark art’ to business continuity management! A simple, common sense approach will set you on your way. Get some colleagues together and try these two steps:-
Step 1 – Analyse your business
Think about the parts of your business that are crucial in keeping it going.
- Identify your ‘core business requirements’. What do your customers expect? What must your business be able to provide as a minimum and how quickly?
- Identify the interactions that take place within your business, between you and your customers and you and your suppliers. Who do you deal with and how? Which aspects and relationships are key and which are less important?
Step 2 – Assess the risks
Identify the areas in which each part of your business is vulnerable. Think about any incidents that have happened or any near-misses you have experienced.
- What are the greatest risks to your business?
- How likely are they to happen?
- What effect will they have on the business?
Some key risks to think about include:-
- Denial of access to your building or site – fire, flood, crime scene / emergency services’ cordon
- Loss of technology, equipment or data – theft, cyber attack, IT or other equipment failure
- Staff unavailability – disease pandemic, sickness outbreak, transport disruption
- Loss of a key supplier or key resources – materials shortage, utilities failure
Work through these two steps to produce a list of your business’ most important activities and what might threaten them. It may be possible to eliminate some of the risks entirely – others may be too costly or too difficult to deal with or may be outside of your control. The biggest remaining risks which you are unable to eliminate are the ones that you should consider planning for – that is, putting a strategy in place for how you would respond should the risk occur.
Developing a business continuity plan
Each organisation’s business continuity plan will be different – there is no ‘one size fits all’ – but there are some features which will be common to most plans. Consider whether the following would be useful for your company’s business continuity plan:-
- Be clear about what your plan is intended to achieve (in most cases the plan should enable the restoration of the business to an acceptable level of activity, keeping critical activities going until such time as a return to normal business operations can be achieved)
- Plan for worst case scenarios – if something less disruptive occurs you should be able to cope
- Identify in what circumstances your plan will be activated and how notification to activate the plan will be made
- Identify who is responsible for doing what
- Use easy to follow checklists and non-technical language – make your plan accessible and easily understood by everyone.
- Prioritise – provide a clear list of what needs to be dealt with first and what can be left until later
- Append useful information to the plan – for example, contact details for staff, customers, suppliers, utilities, insurers, etc.
- Agree a method of ensuring that your plan is kept up to date – for example, it will need to be updated when key personnel change, if the business moves to a different location, if new processes are introduced or when new key clients or suppliers come on board
- Keep hard copies of your plan offsite – don’t assume that IT systems and electronic copies will be available; if possible, agree with a neighbouring business to store a ‘battlebox’ for you – materials that will be useful to you in the event that you need to activate your business continuity plan
Exercising your business continuity plan
Having put in the hard work to develop your business continuity plan it makes sense to keep it up-to-date and to periodically test or exercise it to ensure that nothing has been omitted. Make sure that you involve the key staff who would be tasked with implementing your plan so you can be reassured that each is fully aware of their responsibilities.
Exercising and rehearsal can take a variety of forms – these are just some examples:-
- Read through your plan as a group, perhaps using a scenario to reflect a realistic source of disruption. Ask at each point whether the correct actions appear in the right order.
- Check the ‘telephone cascade’ (arrangements for contacting everyone out of hours) works. Are the right people on the right numbers? Does everybody know who they should contact? What would happen if the phones weren’t working?
- Carry out a full, practical rehearsal. Make sure all elements of the plan work together
Top tip: don’t jump in at the deep end – plan to start with simple tests and build up to something more involved over time!
For each test, don’t forget to capture any lessons learned and update your business continuity plan accordingly.
Where can I get more information?
There is a wide range of free, practical online resources you can use and we’ve listed some of these below. Please note that Gloucestershire Prepared does not actively endorse or recommend any of the products, resources or websites mentioned – they are signposted for information only.
- Gov.uk – Resilience in society: infrastructure, communities and businesses – Business continuity
- HM Government Business Continuity Management Toolkit
- The Business Continuity Institute – What is Business Continuity?
- Business in the Community – Resilience Starter Kit
- Continuity Central – Knowledge Base
- Gov.uk – Expecting the unexpected
- Western Power – Helping your business prepare for a power cut
- Checklist from the National Cyber Security Centre
Also, speak to your insurer about business continuity – some providers offer their own business continuity plan templates and guidance to their business customers.
Who the proposed Protect Duty applies to
There are three main areas it will potentially apply to:
- Public venues (eg. entertainment and sports venues, tourist attractions, shopping centres with a capacity of 100 persons or more)
- Large organisations (eg. retail or entertainment chains employing 250 staff or more that operate at publicly accessible locations)
- Public spaces (eg. public parks, beaches, thoroughfares, bridges, town/city squares and pedestrianised areas). This includes event organisers using these spaces.
How the proposed Protect Duty affects you or your business/organisation
The Government considers that the owners and operators of public venues and large organisations should be required to:
- Use available information and guidance provided by the Government and the police to consider terrorist threats to the public and staff at locations they own or operate
- Assess the potential impact of these risks across their functions and estate, and through their systems and processes
- Consider and implement ‘reasonably practicable’ protective security and organisational preparedness measures (eg. developing a strategy that ensures you have assessed your site and its use, including suitable mitigation measures to protect staff, as well as staff training, and plans for how to react in the event of an attack)
- Develop a robust plan on how to deal with or act as a result of a terrorist attack.
For smaller organisations and venues, this would involve simple low-cost (or no-cost) preparedness measures, such as ensuring that:
- Staff are trained and aware of threats, likely attack methods and how to respond
- Staff are trained to identify the signs of hostile reconnaissance and to take appropriate action
- The organisation’s response to different attack types is regularly updated and exercised.
How to prepare
Consider what you and your colleagues can do to make it harder for a would-be terrorist to carry out a successful attack by:
- Being alert to suspicious behaviour and activity in and around your site, such as people loitering or displaying an unusual level of interest in asking questions, filming or photographing
- Assessing the possible vulnerabilities of your site to various attack methods, and taking suitable measures to mitigate the risks
- Being security-minded in your communications, particularly online
- Encouraging and enabling a security culture in the workplace, eg. ensuring that any concerns can easily be reported and will be acted upon
- Considering how you and your staff would respond to an incident occurring inside, outside, or near to your building or site.
For further info on the ACT programme, please visit the ACT website
Training and guidance
To help your organisation, venue and employees to be prepared, a wide range of training options are available:
- Action Counters Terrorism (ACT) training – provides a good introduction on how to respond to suspicious activity: Action Counters Terrorism (ACT) E-Learning
- ACT app – sends real-time news and counterterrorism (CT) incident updates from UK Protect, contains the latest practical advice and guidance to help you protect your business, as well as information on how to respond in the event of an attac): Action Counters Terrorism (ACT) app
- Prevent training – designed to safeguard and support vulnerable people from being drawn into terrorism; to access this, email firstname.lastname@example.org
- Intro to Hostile Vehicle Mitigation (HVM) awareness training – a beginners awareness course; apply for the HVM awareness training. Within the application process you will note that there is a requirement for a sponsor – you can use either of these email addresses: Nicole.Lamont1@gmp.police.uk or SimonP.McNulty.email@example.com
- Countering threats from Unmanned Aerial Systems (UAS) training – provides a high-level understanding of the threats posed by UAS and what can be done to mitigate against these; apply for the UAS training. Within the application process there is a requirement for a sponsor – you can use either of these email addresses: Nicole.Lamont1@gmp.police.uk or SimonP.McNulty.firstname.lastname@example.org
- CAN training – helps businesses and organisations maximise safety and security using their existing resources
- Counterterrorism Awareness Training – provided by the Counterterrorism Security Advisers (CTSA); if businesses are interested in attending or organising/hosting their own sessions, contact email@example.com to discuss and arrange.
There is also a series of guidance available: