How to Create a Robust Business Continuity Plan

Posted by

The sudden outbreak of the ‘black swan’ event COVID-19 is prompting most business leaders to brace up for the toughest phase in their careers. The biggest challenge facing them right now is business continuity. They are revisiting, testing, and reworking their business continuity plans to proactively figure out the best-suited approach for their unique situations. The key here is the speed of response to a situation in these uncertain times. Hence it is imperative to have 360 degrees agility assessment of resources, systems, policies, procedures and capacities in hand to mitigate risks.

Your business continuity plan should be able to mitigate the adverse impact on critical assets, have guidance to bounce back after initial disruption quickly, have the ability to launch new processes specific to the particular crisis i.e elements defined which can be quickly assembled and customized to take care of that specific situation.

Below is a rundown of various factors to watch out for and skillfully navigate the impact of the crisis that remains for a considerable time, even after it is over.

Text Box: Apart from maintaining business continuity in the short run, the after-effects of the current situation and the tough decisions to be taken to survive can have an impact on customer trust, investor and staff trust, and branding among others.

Here are key steps to build the plan

  1. Define purpose and objectives clearly
  2. Build accountability for implementing the plan
  3. Gather input – risk matrix and risk scores
  4. Assess the risk of potential consequences on functions and operations
  5. Ensure they are included in the risk register
  6. Put measures in place to ensure the safety and security of employees, assets, and operations
  7. Activate the plan
  8. Monitor, up-date as needed

If you have a comprehensive corporate risk management policy, and tool, its principles still hold good. If your tool facilitates you to identify, assess risks, and develop the preparedness and response actions to the identified risks, escalates them to the c-suite, and monitors all the levels, you can do the planning under the corporate risk management policy. However, understanding the process greatly helps build a robust plan.

  1. Define your purpose and objectives for the business continuity plan clearly

Your goal can be very focused on increasing the company’s resilience in case of potential disruptions. After defining the purpose, enlist your key objectives of the plan in clear terms. Elements may include:

  • To ensure continuity of critical business operations and IT operation essential for conducting business during the crisis
  • To minimize the disruption of critical operations to a near-zero level with a resilient business continuity strategy and framework while meeting regulatory requirements

While executing each of the following steps of the business continuity planning process, make sure to document them. They can be verified and revised before releasing the final plan.

2. Build accountability for implementing the plan

While the ultimate responsibility may rest with the board, accountabilities for management and execution must be defined. A senior executive accountable must:

  • help employees to understand and become familiar with the plan so that they can effectively carry out their roles when the plan is ready.
  • ensure that the plan is maintained, reviewed, tested, and revised regularly
  • approve and signoff off every time the revisions or updates are made

BCP Roles

3. Gather inputs, Identify and score risks

  • To start planning, invite the head of each function including representatives from operations, supply chain function, human resources, administration, IT, and communication, security, and other departments of your business.
  • Use a risk matrix as shown below to identify and record key risks. In the same matrix, record the potential consequences on staff, operations, assets, and facilities. Obtain the risk levels by defining the impact of the characteristics and likelihood of occurrence.

Using the risk scoring table, determine the risk criticality levels. These scores will allow you to prioritize addressing of risks.


4. Assess their potential consequences on functions and operations

Once you have scored the risks, classify which risk actions you need to start, and which risk actions are already in effect. For those risk actions already effective, check and ensure if you need to bolster or improve them. Consider the following examples:

  • During this time of COVID –19, banks may have to make adjustments in operating models and make swift innovations due to the misaligned revenues and cost. Also, there is a huge change in customer service preferences. Customers are increasingly looking to run their financial life through apps and online banking. And so, banks are expected to act swiftly to increase awareness and take other response actions.
  • A retail store that focused on offline sales might choose to increase the focus on online sales.

5. Then ensure that the critical risks and risk responses are included in the risk register

This step mainly will help in budgeting and finance allocation.

6. Put measures in place for the safety and security of employees, facilities, staff, and operations

Examples include:

  • Policies and SOPs for remote working
  • Policies and SOPs the safety and protection of employees of some essential roles that need to be conducted from an office or on location
  • Cancellation of business trips, meetings and events and the arrangements for virtual meetings
  • A taskforce to continuously assess the COVID-19 situation and a clear command and control matrix, covering all functions with a needed backup
  • Engagement with the third parties and partners who support to strengthen the continuity of your operations further and minimize the impact
  • SOPs for communicating emergencies
  • Facility specific security plans
  • Asset protection policies – ex. Inventories, information technology resources, etc.

7. Activate the plan

Use risk assessment and possible scenarios as triggers for activation or deactivation of the plan.

8. Monitor, up-date as needed

Monitor and regularly update the plan according to the evolving risks and needs.

Apart from the plan when all comes to normal situation people expect businesses to be more aware of social responsibilities and particularly during pandemic situations how the company is aligned with environment, health and safety-related activities, that will play a big role in brand building and hence it needs to be well thought out and documented.

Here’s to your business continuity planning success!

Priyabrata Manages MetricStream University & ComplianceOnline functions for MetricStream which enable partners and customers through training, content and expert services.