Keep calm and carry on
25 October 2019
Given the catastrophic scenes that have unfolded in central Auckland over the past few days, we thought that was a timely opportunity to underline the importance of having a fit-for-purpose Business Continuity Plan.
For those who aren’t aware, a fire broke out at the SkyCity International Convention Centre early on Tuesday afternoon of this week, and soon took hold of a large portion of the building which is still under construction. While the full extent of the damage is still unclear - the assessment process likely to take months – it’s likely that the bill will run into the nine-figure region and that the $700m project will be delayed by years; not months.
Business Continuity Plans are often overlooked, either dismissed as unnecessary, a waste of time, or the realm of ‘big business’. The reality is that they do offer little value, until you need one. In fact, you may never need one, but if you do, a well-structured plan could be the difference between a swift, pain-free recovery, and irreparable, possibly fatal, damage.
Here are five key things to consider when developing your plan.
- Know your business – To be meaningful, your plan must be tailored to your specific needs and circumstances. Start by identifying your mission critical activities – those activities that are at the core of what you do. Then assess the likely impact that an incident would have on each aspect of your organisation. Lastly, understand your recovery time needs – how long could you survive without these activities? Therein lies what you ought to plan for.
- Understand your options – To be useful, recovery options have to be commercially fit for your organisation, and commensurate with likely disruption. Start by identifying your recovery options based on the most likely incident scenarios that are relevant to you. Then analyse the cost-benefit of each option. Select only those options that balance cost with the level of disruption you’re willing and able to tolerate.
- Achilles heel – Every organisation is different in terms of size, location, premises, structure, people, customers, and suppliers - plans must reflect this. A robust plan is one that’s bespoke to your risks. As advisors, we often see clients target their plans on only those incidents that have a direct, often physical, impact on the organisation (think loss of premises due to earthquake, fire, or flood). However, more often than not, it’s a dependency on third parties that proves to be the Achilles heel.
- Find balance - To be effective, your plan should be holistic. Continuity planning isn’t just about IT resilience and recovery. Recovering your systems and data swiftly after an incident is usually critical, but it shouldn’t come at the cost of other considerations. For example, having your systems and data recovered within minutes of an earthquake is little consolation if your people have nowhere to work from. Be sure to balance crisis management, continuity arrangements, communication and PR, disaster recovery, and IT recovery equally.
- Test, train, and maintain – Like most things in life, you won’t truly know if your plan works unless it’s tested. Be sure to test your plan periodically to ensure it’s sufficient and fit-for-purpose. Similarly, your plan is only as good as the people delivering it – allocate clear responsibilities and train your people on what to do. Organisations change – so should your plan. Periodic reviews are the best way to ensure that your plan is fit-for-purpose and up-to-date.
This is a topic that we’re really passionate about – we’ve seen far too many businesses struggle to recover after a significant event. Given its importance, perhaps it’s one that deserves at least some airtime at your next board meeting?
If you have any questions, please don’t hesitate to contact Tarunesh.