The Essential Must-Dos of Business Continuity

A BIA is a means of measuring how disasters disrupt your operations.  It provides clarity on what truly matters when disruption occurs, identifying critical activities, quantifying consequences of failure, and setting clear recovery priorities.  Without a BIA, any subsequent planning is based on assumption rather than evidence.  

We frequently receive requests from organisations to review their business continuity plan (BCP) or undertake a BC exercise, despite no BIA having been conducted.  Instead, critical functions and priorities have been identified through assumption, creating a misaligned focus that does not reflect reality and risks exercising and protecting the wrong aspects of the organisation.  As such, the BIA is perhaps the most important element of effective BC, providing the evidence base on which all other planning should be built.  

Criteria for success and common pitfalls to avoid

We see some organisations that perform the BIA lose focus, treating it as a standalone exercise and believe that simply completing it is enough.  This is not the case; a BIA only delivers value when its outputs are actively used to inform your wider BC arrangements, ensuring that insights gained are carried through into planning, prioritisation, exercising, etc.

It is essential that you receive sign-off and engagement from senior management on your BIA, but this must be complemented by engagement across the entire organisation  in order to gain all the necessary insight required for effective completion.  Speaking to senior management can be a strong starting point, but the people working day-to-day within the business will possess deeper, practical knowledge of operational detail.  

However, gathering input from across the organisation can lead to a wide range of responses, with variation and subjectivity in how people interpret and answer questions.  To ensure consistency, you need to establish a formal BIA methodology that includes defined criteria and guidance for assessment.  For example, the use of impact scales, covering a range of impacts (such as brand and reputational, regulatory compliance, contractual obligations, financial, etc.) can help to guide responses and provide a more objective, comparable basis for analysis.  A final oversight and sign off by senior management also provides a valuable sense check, helping to identify any anomalies or instances where impacts may have been under  or overstated by individual functions.

For more information on how to perform a BIA, read our blog on Conducting a Business Impact Analysis (BIA) as Part of Your Organisation’s Business Continuity (BC) Planning.

‍

BC relies on people, not just plans, and everyone within an organisation has a role to play in helping it recover from disruption.  For some individuals that role will be integral, such as members of the crisis management team.  For others, this role may be less defined and specific, but no less important: understanding what is happening, where to find reliable information, and how to communicate with clients, colleagues, and teams.  Crucially, anyone in an organisation can be the first to identify that an incident has occurred, and it is therefore essential that all staff know how to recognise potential issues, who to escalate them to, and that they cannot assume someone else will take responsibility.

Criteria for success and common pitfalls to avoid

We would always strongly recommend that organisations deliver BC awareness training to new employees during induction, but it is important not to overlook the need for refresher training among existing employees.  There may be staff within your organisation who were inducted years ago, and changes to your BC arrangements in that time.  Perhaps your organisation has moved premises, operations have changed, or roles and responsibilities shifted; awareness needs to be refreshed so that all employees remain current with such updates.

There may also be a place for specialist, role-based BC training in addition to general awareness training.  For example, individuals responsible for managing staff welfare during a crisis will need an understanding of and access to the relevant resources that are needed for this, while the appointed media representative will need to know who their contacts are and whether there is a PR agency on call.  Similarly, the individuals within your organisation who are assisting with the BIA may require some training to help them understand the context behind what they are being asked, and to provide consistent and relevant answers.

Your BIA will define what matters, but your recovery and response approach defines what happens next.  It sets out the actions your crisis management team must take, who is involved, and the roles, responsibilities and decision-making authority within that team.  It also clarifies expectations for the wider organisation, such as communication protocols, behaviour during incidents (e.g., avoiding social media activity), and practical measures like relocating to alternate sites if required.  In essence, this approach establishes the structure, governance, and steps needed to enable an effective recovery from disruption.

This should not be confused with the BCP.  While the BCP forms a very significant part of the overall approach, it is better understood as a concise, accessible reference document to guide teams during an incident by outlining key actions, escalation criteria, and responsibilities.  By contrast, the recovery and response approach is the process of defining and agreeing those elements in the first place.

Criteria for success and common pitfalls to avoid

While the plan is just one element of your approach, it is often the element that organisations get wrong.  One of the most common mistakes made by organisations is producing a BCP that is too complex.  This inevitably leads to people not using the BCP when disruption actually occurs; during the pressure and uncertainty of a crisis, individuals need clarity and assurance, which will not be provided by lengthy, complicated documents that are difficult to navigate.  As such, your BCP must be designed with the realities of a high-pressure scenario in mind, ensuring all the necessary information is included but still being conscious of the need for simplicity and accessibility.  

Many organisations use appendices in their BCPs, defining extensive scenario-based instructions.  The effectiveness of this is often limited, for the same reason as discussed above: your BCP should be as short, simple and easy to follow as possible.  Excessive detail will not only result in teams becoming overwhelmed and decision making slowed down, but can also encourage individuals to try to force real incidents into predefined scenarios.  In reality, crises are rarely predictable.  They are nuanced, fluid and often defy neat categorisation, so attempting to anticipate every possible situation can carry significant risk and limited benefit.

You also need to ensure you define an effective communication plan.  Communication underpins every aspect of a response, and the lack of a well-defined communication strategy is one of the most significant weaknesses an organisation can have during disruption.  Your communication plan needs to cover all aspects of communication during a crisis, both internally and externally.  This includes pre-defined communication (including media statements), roles and responsibilities, communication rules for staff, whether external support, such as a PR agency, will be engaged, the communication methods to be used if usual channels are disrupted, etc.  

How this plan is documented will depend on the size and complexity of your organisation.  Larger organisations with dedicated teams and more defined structures will often benefit from a standalone communication plan, owned by the team responsible for managing crisis communications.  In contrast, for smaller organisations looking to define their plans in a single document, a section in the BCP dedicated to communication will likely be sufficient.  In either case, the key is to ensure the plan is clear, accessible and actionable when it is needed most.

For more information on developing BCPs, read our blog on How to Develop a Robust Business Continuity Plan.  Meanwhile, our blog 7 Key Tips for Communicating in a Crisis gives further detail on producing a communication plan, and what good crisis comms look like.

‍

Exercising your BCPs is the only way to establish their effectiveness without waiting for genuine disruption, where any gaps in the plan or teams’ ability to follow them can have serious consequences for your organisation.  Exercising, on the other hand, allows you to validate plans, identify gaps and risks, strengthen coordination and test team readiness without the high stakes of a real incident.  It can provide tangible value in a very short amount of time, with the greatest amount of value being gained during an exercise when things go wrong, as this allows you to identify weaknesses that are far better addressed in a controlled environment than under real conditions.  

Criteria for success and common pitfalls to avoid

It is important to ensure that you have a clear picture of what you want to achieve and gain from each BC exercise you conduct, while also ensuring that you exercise from different angles and viewpoints.  If resources are limited, the most valuable single exercise is a crisis management simulation, where the frontline response team works through a scenario together.    However, in these circumstances, it is still advisable to conduct more informal exercising with other areas of the business, which can be as quick and simple as a 30-minute discussion around how they would respond to a particular scenario.

Exercising also needs to be realistic.  If an exercise is based on a scenario that isn’t engaging or plausible, participants will soon lose interest and fail to take it seriously, limiting the benefit that can be gained.  As such, you should always take time to ensure the scenarios your exercises are based on are proportionate to the risks you face and circumstances you could genuinely come up against.  

For further information on what is involved in effective exercising, read our blog Business Continuity Exercising.

Resilience now extends beyond your organisation.  In recent years, there has been a clear shift away from in-house responsibilities, utilities, systems, etc., towards outsourcing of those processes and operations to suppliers and service providers.  Third parties, particularly cloud providers, underpin critical operations, and their failure can quickly become your disruption.  It is not enough to onboard a third party and consider the relevant risks transferred; suppliers need to be managed on an ongoing basis.  If you have conducted an effective BIA, you will likely have identified your critical suppliers, and the logical next step is to take that list and apply a comprehensive continuity management approach to those third parties.

Criteria for success and common pitfalls

The suppliers you prioritise for continuity management will not necessarily be those that cost your organisation the greatest amount of money.  Instead, prioritisation should be based on suppliers’ criticality, as identified by your BIA.  We always recommend defining supplier tiers based on criticality, which then informs how diligently and thoroughly they are assessed and managed.  

What your continuity management approach looks like in practice will depend on the specifics of your organisation and what works best for you, but typically includes aspects such as questionnaires, audits, contractual obligations around delivery commitments, conducting joint exercises, etc.  At the highest tier of criticality, it is advisable to engage suppliers in all of these activities.  There is effectively no such thing as ‘too much’ for these key suppliers; if disruption occurs and you have not taken all reasonable steps to understand and manage the associated risks, accountability will rest with your organisation in the eyes of clients, partners, and other stakeholders, not with the supplier.

There is no single, perfect way to approach BC, and the specifics of how it is designed and implemented will vary significantly between organisations.  However, there are clear fundamentals that need to sit at the heart of any BC approach.  Organisations that embed these principles create a foundation for responding to disruption in a way that is aligned with what truly matters and enables informed action under pressure.