Or: five Common Mistakes and How to Avoid Them By Brian Davey, Senior Consultant, Teed Business Continuity, based in Stirling.
This article seeks to provide some hints and tips on how to avoid five common mistakes or false assumptions organisations can make when implementing their business continuity management programme.
1.Appointing the Incident Management Team late
When implementing a business continuity management (BCM) system according to the lifecycle advocated by BS25999, the Incident Management Team is not appointed until after the "Understanding the Organization" and "Developing BCM Strategy" stages are complete. This assumes that you won’t have an incident in the meantime.
Instead, form an Incident Management Team up front, comprised of a senior manager/director as team leader to provide the team with authority and include a senior representative from Operations, IT, Finance, Legal, Public Relations and Facilities Management/Safety (or their equivalents in your organisation). Appoint a deputy for each role. Implement a clear escalation process, supported by emergency contact details, to ensure that anyone who comes across an incident (actual or potential) is able to inform (regardless of the day or time of day) at least one member of the Incident Management Team to allow them to assess whether or not they need to form and respond. Exercise the Incident Management Team and capture any actions arising which are required to improve the incident response capability. The Team’s plan of action to manage the incident can be used as the basis for drafting your Incident Management Plan. Membership of the Incident Management Team can be modified, if required, at a later stage in your BCM programme.
2.Assuming the incident will happen at 2am on a Sunday morning
It is just as likely that the incident will happen when your employees are at work. But if the fire alarm sounds, how ready are you to respond?
Run a simple tabletop exercise based on an incident occurring during working hours which requires premises evacuation and results in destructive loss which needs to be managed and recovered from. This will highlight your state of readiness and identify improvement actions.
Create a Grab Bag and place it at the main entrance to the building or at the reception desk and ensure the Bag is taken out of the building as part of the standard evacuation procedure. The Grab Bag should contain, as a minimum, a copy of the Incident Management Plan and/or Business Continuity Plan. You should also consider including essential contact details, any directions to recovery sites and other emergency reference material, response plans and supplies to suit your needs.
3.Assuming muster points will be available
Depending on the nature of the incident being faced, your standard muster points following an evacuation may not be available if they are considered to be unsafe or the emergency services direct your employees away from the area. This can quickly lead to employees wandering off which will hamper your efforts to stay in control.
Ensure that you have a fallback location agreed which will be sufficiently large enough to accommodate your employees in a safe, sheltered environment. Also ensure that employees are regularly briefed on the fallback location and are aware that the organisation expects them to report there if the muster points are unavailable post evacuation. If you are based in a city, then you may want to consider multiple fallback locations to provide more flexibility should local street closures prevent you from reaching the primary fallback location.
4.Trying to scare senior management into addressing BCM
Senior management tend to be optimists, which they have to be otherwise they are not able to take risks and move the organisation forward. So, in my experience, trying to get them to back BCM initiatives by using scare tactics doesn’t work.
Instead, emphasise that a key aim of BCM, as part of sound corporate governance, is to try and minimise operational outages and keep the company running by introducing resilience to failure, not just having the ability to respond to adverse situations which may never occur. Focus on the organisational impacts arising from operational outages, howsoever caused, and the effect these can have on meeting day-to-day objectives with a resultant threat to reputation and, ultimately, the bottom line. Highlight that BCM can be used as a marketing tool, demonstrating that you are better prepared than your competitors to meet deadlines and satisfy stakeholder expectations through having operations which are resilient to failure and can be recovered quickly should the unthinkable happen.
Try running a simple tabletop exercise with the senior management team, using a straightforward incident scenario as mentioned earlier. Capture the learning points at the end of the exercise – what went well, what went not so well and actions arising. The exercise will raise awareness of BCM, highlight the current state of readiness to manage an incident and gain buy-in to taking remedial action where shortcomings in the response have been identified.
5.Forgetting about the importance of employee awareness
In my experience, too few employees are made aware of the Business Continuity Plan and the organisation’s expectations of them should an adverse situation arise. This can cause confusion and severely hamper efforts to maintain continuity of business.
Ensure that employees are briefed regularly on the Plan and on their roles and responsibilities post incident, perhaps through team briefings or corporate publications. Make the Plan available to employees via your Intranet or shared data drives. Try to include key employees in business continuity exercises as well as involving them in BCM initiatives as much as possible. Take key people on visits to recovery sites to familiarise them with directions and the working environment and facilities available there. Ensure that all employees are aware of the fallback location(s).
In conclusion, this article has sought to demonstrate that, although common, these five mistakes can be avoided without significant effort or expenditure being required. Avoiding them will undoubtedly help contribute towards the success of your BCM programme and your ability to respond effectively to an incident.
About Teed Business Continuity
The firm will be exhibiting at the Business Continuity Expo and Conference at EXCEL Docklands from 2- 3rd April 2008 – a UK event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company’s interests before during and after an incident.
For more information visit www.businesscontinuityexpo.co.uk
