Under normal circumstances, if your business takes a downturn or fails, you’d take a look at yourself and the way you run things. You’d possibly conclude that it was your responsibility.
Now we have something else to blame. An invisible enemy seemingly beyond our control. But is there something more you could have done to protect your organisation against the impact of COVID-19?
And even if your business is still alive and kicking, what were the lessons you’ve learned that could make life easier next time there’s a disruption?
The obvious answer from an organisational perspective is to have an all-singing, all-dancing Business Continuity Plan (BCP). But I know from the circles I move in (us business continuity types do have a social life, you know) that many organisations that do have such plans got them out, blew off the dust and found them to be sadly lacking.
So here, I’m going to look at why business continuity plans are often not sufficient to protect your organisation in the event of unforeseen (and even foreseeable) challenges.
A BCP is not a strategy - it's a response
A Business Continuity Plan isn’t a strategy to help you mitigate any risk from disruptive incidents; it’s more about enabling you to continue when these events occur. In other words, there’s too much focus on the cure rather than the prevention. There’s much you can do before an incident arises which can help you to avoid too much disruption in the first place.
BCPs often don't have ‘initiation points’ and ‘recovery objectives’
Another consideration is that there is a need to identify the point at which you invoke such a plan – too early could result in unnecessary and disruptive changes in themselves; too late and it may be difficult for you to put into practice the plans laid out. I also often see plans that don’t specify what the end game is.
They are often ‘clones’ - not tailored to your needs
As auditors, we often find that organisations have used templates available from a variety of sources. As a principle, there’s nothing wrong with doing this - after all, why reinvent the wheel and why not borrow from best practice? But we do find that a number of organisations have then failed to consider issues which are particularly relevant to their business needs and that they haven’t accounted for things that are important to them.
BCP’s are often neglected without third party auditing
Business continuity plans are largely passive. That is, you don’t really think about them until the proverbial hits the fan. Then you take it off the shelf only to find it bears no relation to what your organisation is all about today. Let’s be honest - human nature being what it is - without the promise of a visit from an auditor to look forward to, you may well take your eye off the ball. Hence, when lockdown came, many BCP’s were found wanting.
This is largely because BCPs are often not tested either in practice, through simulation or through a third party examining the efficacy of your plans. It’s one thing to have a plan in place, but it’s quite another to have that validated and verified. Testing your Business Continuity Plan can incur time, energy and effort from those involved but testing the effectiveness of the plan is crucial to understanding if the set of actions you have laid out will assist in times of need.
COVID-19 has revealed some BCPs to be out of date and inadequate
COVID-19 has certainly been an eye opener for a lot of companies and has shown that some of their plans and actions were out of date and not up to speed. Load on networks, capacity and infrastructure are some of the many issues that have been faced by companies. A lack of awareness of how the physical isolation has impacted the abilities of the workforce has also been highlighted, with many organisations experiencing high productivity volumes (contrary to what may have been expected) but increased risks of burn-out, fatigue and mental ill health for many of those working from home.
Not resourced due to lack of buy-in from top management
A BCP takes time and effort to create and maintain. It needn’t be all-consuming, but without commitment from the top bosses, it’s one of those things that will all too often be seen as discretionary and fall down - and off - the list of priorities.
A BCP doesn’t reassure clients without independent verification
Whilst I’m sure that you are as good as your word, others may not believe your own claims that you have adequate procedures to ensure that you can continue doing what you do through thick and thin. In the same way that buyers want to see ISO 9001 certification as a mark of reliability when it comes to quality, ISO 22301 is seen as a mark of your reliability when it comes to, erm, reliability.
Only through independent verification from a certification body can you provide assurance to your prospective and existing clients that you’ll be able to continue to provide the products and services you deliver to them whatever arises.
So, a BCP alone is not enough. What’s the solution to this? Well, I’m obviously going to say that a full blown ISO 22301 Business Continuity Management System is the answer - and it is. ISO 22301 addresses all of the weaknesses identified above.
If you want to know more about ISO 22301 certification, call my friendly colleagues on the phone number you see at the top of this page.