Published on December 01, 2023
Global pandemics, once-in-a-generation levels of industrial action, and increasing severe weather – let’s face it, we’ve all been put through the wringer the past few years. More than ever, businesses realise they have to have a plan for anything and everything.
But how do you create that plan? And how should you test it? Our guide outlines how your company can develop a strong business continuity plan and be prepared for (almost!) anything.
Let’s get to it.
Business continuity refers to the practices and plans an organisation has in place in the event of an emergency. Sometimes, those plans are for small emergencies (like a brief power outage or internet failure), and sometimes, they’re for major ones (like a terrorist attack or a flood).
No matter how large or small your business is, business continuity should always be a top priority. A plan needs to be intelligible to the people who have to enact it. After all, what if an emergency keeps your key personnel away from the office?
Many companies hire consultants or use BCMS software to stay on top of business continuity plans. It’s worth a look into, especially if you’re a growing business.
A business continuity exercise is designed to put your emergency communication plan to the test. Don’t be shy about rigorous exercises – your goal is to find holes in your plan so you can correct them before the real thing happens.
You can sort exercises into three main piles – they mainly vary in how realistic they are (and how much time and effort they require). Plan Review
A plan review is exactly what it sounds like – relevant stakeholders go through your whole business continuity team and plans line by line. You may also invite comments from lower-level employees on various teams. After all, they may see flaws that the higher-ups do not.
A plan review is the least costly in terms of time and energy. You can also spool out the process over several meetings, making it much easier to schedule.
It’s also easier to invite comments from a larger range of stakeholders. You can’t put 1,000 employees in a conference room for a tabletop test, but you can ask for ideas of where your plan is lacking.
Going through a plan in a meeting is about as far from real-world conditions as you can get. Some insights might be lacking if you’re not under the stress of a real or imagined emergency.
Reviews can also be subject to a certain amount of groupthink. An employee might not want to be the one person who raises an issue.
A tabletop test gets one step closer to real. Participants meet to run through tabletop exercises based on real-life scenarios. Tabletop tests allow you to work through potential problems in a situation with a little more pressure and stress.
For instance, you might role-play how to handle a ransomware attack. At various intervals, the facilitator will announce a further wrinkle in the situation – like the hackers have started releasing information and harming customers.
Tabletop tests can provide a more realistic setting to think through problems, and they do this without tying up too many of an organisation’s resources. These tests can also give bosses some good insight into how employees work together under pressure.
A tabletop exercise needs to be done right. You need buy-in from both participants and bosses; an exercise works best when people really get into their roles.
You also need plenty of time, 2 hours as an absolute bare minimum. You want space to let the exercise play out, as well as time afterwards for discussion.
A simulation test is about as close as you can get to an actual disruptive event. And you’re probably more familiar with these tests than you think. If your organisation has done a fire drill, you’ve already done a small-scale simulation test.
You can run just about anything as a simulation test. For instance, if you’re preparing for a flood that knocks out your computer system, you could test whether employees can find and work from backup data.
Simulation tasks are the closest analogue to an actual emergency. Instead of sitting around a table, employees are at their workstations.
This allows you to see more practical issues. In a fire drill, do most businesses and employees know where the emergency exit is? If you’re testing a telecoms outage, do employees know where others are physically seated?
Simulations can cost a lot of time and resources. After all, you’re asking people to put aside their normal work.
Because simulations are more realistic, they may bring up issues for some employees that make it difficult for them to participate. This is especially true if you’re simulating a natural disaster or workplace violence.
One of the keys to a good tabletop or simulated business continuity exercise is making it specific to your industry and your organisation. Take some time to flesh out a relevant scenario before testing it out.
Imagine that a large amount of critical data has been destroyed or is inaccessible. This could be the result of a ransomware attack or just a data centre outage.
Nonetheless, you have to get access to your backup data. Who do your employees need to contact? Do they need to work with an outside vendor?
This scenario can also test your priorities for restoring data – does it make sense to do the financial info first, or is customer data more important? And what if this data loss happens while the IT guy is on holiday – can other employees handle it?
You can also get your customer service and communications teams involved to test what the message will be to your customers and press.
Imagine that a huge storm has caused power loss at your main office. The utility says they can’t get electricity restored for a few days. Your team has a lot of decisions to make.
Some of the things your business continuity exercise should discuss are:
What if the application all of your employees use fails? What if a major software program you’re running from the cloud crashes? Not only will you have work piling up, but you’ll also have dozens of employees who have absolutely nothing to do.
We may have just emerged from one public health crisis, but many businesses say another one could be just around the corner. No business wants a repeat of the chaos of March-April 2020.
So, can your organisation shift to mostly remote work at the drop of a hat? Can your employees access everything they need from a laptop at home?
Moreover, you need to determine a plan for the event that a large chunk of your employees are out sick. Are employees cross-trained? What can you do with a skeleton crew?
Under UK law, your business has to have at least one fire drill a year. But fires aren’t the only on-site risk for a company. Your employees could also be affected by storms, gas leaks, or on-site violence.
Employees should know the protocol for every emergency. When do they evacuate, and when do they shelter in place?
You should also have a plan for what happens afterwards. How will things run if working from the building isn’t possible?
If you have unionised employees working under you, there is always the chance of industrial action. Thankfully, the process of negotiations and strike votes means that employers have some advance notice.
Still, you want to ensure business continuity with plans in place for strikes, especially if they go on for a long time. How will you prioritise tasks with fewer employees? Are employees who remain cross-trained and capable of temporarily doing other tasks?
A business continuity planning exercise doesn’t mean anything unless you learn from it. You should provide ample time for discussion afterwards to see what went right and what went wrong.
Then, you should go back to your business continuity plan and make edits and additions based on your findings. Ideally, you’d run another test with your modified plan, too. Things change and evolve, and the only way for you to keep your plan relevant is to test it regularly.
If you’ve run some business continuity planning exercises and you need some help with your business continuity plan, we’ve got you covered. Whether you need data management, plan distribution, or audits, C2 Meridian puts it all into one handy and easy-to-read dashboard.
Book a demo today to see how our BCMS can help you streamline your business continuity efforts.
Lead Risk and Resilience Analyst at Continuity2
With a first-class honours degree in Risk Management from Glasgow Caledonian University, Donna has adopted a proactive approach to problem-solving to help safeguard clients' best interests for over 5 years. From identifying potential risks to implementing appropriate management measures, Donna ensures clients can recover and thrive in the face of challenges.
Lead Risk and Resilience Analyst at Continuity2
With a first-class honours degree in Risk Management from Glasgow Caledonian University, Donna has adopted a proactive approach to problem-solving to help safeguard clients' best interests for over 5 years. From identifying potential risks to implementing appropriate management measures, Donna ensures clients can recover and thrive in the face of challenges.