Business Continuity Guide

Transcription

1 Business Continuity Guide

2 Introduction All businesses need to be aware of the risks facing them every day and how to effectively manage them. Within this business continuity guide we have provided high-level information and advice on the risks you should be aware of, the range of solutions you can put in place to protect your business, and a checklist for you to assess your strengths and weaknesses. Certainty in an uncertain world In today s uncertain times it is critically important that all businesses make sensible provision for the unexpected. It is no longer acceptable for organisations to tackle problems as they arise, as this is often too late. In fact, almost 50% of businesses that suffer an incident and don t have a business continuity will fail within 12 months.1 In order to truly protect the value of a business for shareholders, customers and employees it is vital that potential problems are identified and eliminated before they occur. For a business to be totally resilient to disruptions it needs to implement a business continuity plan at a strategic level, and it is imperative that it is adopted throughout the company and seen as an evolving plan. Almost 50% of businesses that suffer an incident and don t have a business continuity will fail within 12 months.1 2

3 What is business continuity? The business continuity institute defines business continuity management as: A holistic management process that identifies potential impacts that threaten an organisation, and provides a framework for building resilience and capability for an effective response which safeguards the interests of its key stake holders, reputation, brand and value-creating activities. The importance of business continuity Often perceived as a luxury or the preserve of large institutions, business continuity is essential for surviving in the increasingly challenging and competitive climate. Changing expectations mean that even a small disruption can have a disastrous effect on the reputation and profitability of an organisation, as well as on customer and supplier confidence. Implementing an effective plan could help your business in the following ways: 1. Prevent financial loss the cost of not being able to service customers even for a short period can have serious financial implications 2. Provide compliance creating a working business continuity plan will help your company work towards adherence to regulatory best practices and meet specific legal requirements, depending on industry 3. Protect the value of your business mitigate the negative effects an incident can have on customer and public confidence, which will in turn affect your brand and company value 4. Reduce costs with pre-arranged business continuity the cost of the restoring your business will be drastically reduced 5. Increase competitive advantage by demonstrating a commitment to the continuation of your business, you can differentiate from competitors, attract new customers and assure current clients 6. Prevent loss of production having provisions in place will ensure you are always able to meet deadlines; as a result, your business will be reliable and consistent 7. Loss of operational data having off-site backups of your critical data will prevent it from being at risk of damage or loss, ensuring your business is always operational 3

4 Things to consider in an emergency Having a plan to protect the continuity of your business is not enough to adequately prepare for a disruption or disaster. Even the best plan will be of little use if your staff has no idea of how to implement it when the time comes. Ensuring the appropriate responses are taken by each and every person affected will ensure you see little affect by the interruption to the usual running of your business. 1. Plan in advance how you will react to various emergencies 2. Always be prepared to assess the situation rationally 3. Stay calm 4. Delegate roles to people within the company 5. Have contact numbers accessible i.e. phone or off-site backup The risks Implementing a business continuity plan and preparing for the future is important regardless of the size of the business. There is a massive range of risks that could affect the running of your business both internal and external threats should be considered when making your continuity plan. Threats you may want to consider: Internal threats External threats Gas leak Air conditioning unit malfunctions leading to fire Pipe damage leading to flooding Loss of power Loss of networks (data and telephones) Damaged hardware Internal staff security Gas leak from surrounding buildings Chemical leak or explosion Fire from surrounding buildings Severe weather leading to flooding or building damage Denial of access Terrorism Vandalism/ theft 4

5 Common misconceptions Our business is too small Your business continuity plan is entirely dependent upon the size and needs of your business. If your business has 25 staff or less and no need for immediate operational time, then you do not need to have the same plan a business with 500+ staff would have. There are many different options available to ensure you get the right solution for your business at a price that is affordable for you. This is all about more IT and we have plenty already Business continuity is not just about the running of your IT, it exists to ensure that your business remains operational. Having your data backed up, the telephones available in a power cut, your staff able to be relocated if your offices become unusable, are all factors that need to be considered when planning your business continuity. It won t happen to us Nationally two-thirds of small businesses have been negatively affected by extreme weather in the last three years, with only 25% having a business continuity plan in place.2 It is too expensive for us You can have the right solution to fit your business at a price that is affordable for you. You may not need extensive provisions in place to ensure the continuity of your business. I m insured and don t need this Insurance premiums do not always protect the money you will lose by not being operational. They generally only cover the cost of damage you have incurred initially. Insurance will also not protect the damage you will suffer in terms of customer trust and brand reputation. Nationally two-thirds of small businesses have been negatively affected by extreme weather in the last three years, with only 25% having a business continuity plan in place.2 5

6 Solutions to consider Workplace recovery This is a solution available to all sized businesses. If your office was to suffer a disruption, you could immediately relocate your staff, data and phones within a number of hours to a facility located within a short radius of your original location. You would be able to carry on your business as usual without your customers knowing the difference. Backup and replication Secure, offsite backup is essential to achieve operational resilience. Unfortunately, data loss is a common issue and statistics show that only a minority of businesses are successfully recovering lost data. A well-tested solution, which is replicated over geographically diverse sites is an ideal solution to this issue Disaster recovery as a service (DRaaS) Many organisations are using the cloud for their disaster recovery requirements. DRaaS is a cost-effective and agile way of businesses running during and after an event, providing virtual recovery for critical systems, data and applications. 6

7 How to get started 1. Ensure you have full support from senior management 2. Ensure the plan is owned by the business, although day to day organisational and administration can be delegated to a management team (this is not just an extension of an IT disaster recovery plan, therefore IT may not be the best owners) 3. This process is not just about creating a plan, it is about business culture, ongoing review and ownership explain to staff the importance and implications of not having a regularly tested plan 4. Clearly identify an organisational structure for command and communication in the event of an interruption 5. Perform a business impact analysis, risk assessment, and agree a strategy to mitigate key risks 6. Include the critical processes you need to recover, within what timeframes recovery will be required, and what resources will be needed to implement recovery 7. Look at what you may have already in respect of alternative arrangements e.g. dual site IT, maintenance contracts, other thirdparty arrangements, alternative working arrangements, and outsourcing 8. Continuously review and test your business continuity plan and ensure you have a copy stored offsite so you can access it remotely. Business continuity planning methodology 1. Understand Your business by performing risk aseesment and impacy analysis. This will identify the critical areas in your business and thus the recovery priorties which would cause the most damage to both finances and reputation. 5. Maintain Business continuity by performing constant maintenance and keeping both the business continuity plan and staff updated at all times. 5 1 Introduce True Business Resilience Plan Business continuity by determining strategies to mitigate loss. Assess the relative merits against your business environment and their likely effect on maintaining critical functions. 3. Implement Business continuity by putting in place measures to safe guard your business in the event of disaster and making key staff aware of the plan. 4. Test Business continuity by performing scheduled test scenarios involving your key members of staff to develop members experience, improve your plan and develop trust in the plan itself. 4 7

8 Your business continuity assessment 10 minute assessment If you do not have a business continuity plan this short assessment will outline the criteria you need to consider in order to help enable you to prepare for an emergency (internal or external) that may disrupt your business/organisation. The assessment has been split into sections for ease of reference (ideally you should have all of these criteria fulfilled). What do you do on a day-to-day basis? Yes No Don't know Have you considered the impact of direct risks to your business (IT failure, mechanical failure, loss of power, staff absence, fire, supply chain failure, etc.)? Have you considered the impact of external risks to your business (denial of access to your premises, theft, flooding, fire from adjoining property)? Do you have vital computer information stored on backup systems held off-site? People are the greatest asset and investment to any business. It is important to consult with your staff throughout any business continuity process; it will fall on staff to lead on and carry out many of the tasks required for a business to survive should there be a crisis. Personnel Yes No Don't know Have you got a list of all employees telephone numbers? Have you made a list of all key contacts telephone numbers? Do you have an up to date and regularly reviewed job description and hierarchy chart for your company (include temporary and contract workers)? Do you have staff personal information on file i.e. communication with next of kin (include temporary and contract workers)? Are the above details held in more than one location (preferably off-site)? 8

9 Personnel: Emergency situation Yes No Don't know Do you know where to go for advice/information (health & safety; fire prevention; security and crime prevention; news updates)? Does your staff know who is in charge in a time of a crisis? Do you and your staff know what to do in an incident? Do you and your staff know what to do if you were affected by a hardware failure, fire, theft or flood? Have you made a list of all emergency key contacts telephone numbers? Has your staff been assigned specific roles to do in the event of a crisis? Do you have out of hours contact procedures for staff? Do you have members of staff with first aid or medical training? Have you considered alternative working arrangements office relocation, ability to work from home, etc.? Do you have any particular staff with critical and unique skills? Are the above details held in more than one location (preferably off-site)? Buildings and equipment are the greatest physical assets of any business or organisation. They provide the mechanical means to deliver your services or products. Procedures need to be put in place to protect these assets to better enable a business to survive a crisis. Building Facilities Yes No Don't know Do you have a floor/site plan to your building(s)? Does your building(s) require 24 hour 7 days access? Have you checked that all plumbing is in working order? Do you check that the heating and air conditioning is working on a regular basis? Do you carry out end of day inspections? I.e. to check everybody has left. Do you make sure that all appliances are switched off? Do you check that all doors and windows are locked? 9

10 Building Facilities: Emergency situation Yes No Don't know Have you made a list of all emergency key contacts e.g. telephone numbers for buildings/equipment maintenance, services problems (electricity, gas, water, and telecommunications)? Have you familiarised yourself and your staff with the location of the mains switches and valves (i.e. for electricity, gas and water)? Do you have fire safety procedures in place? Do you regularly practice fire drills? Do you have evacuation procedures for your building? Are the fire exits clearly marked? Do you have any staff trained in evacuation? Do you have a primary and secondary evacuation points? Do you have generator backup systems in place? Do you have an alternative building to use in an emergency? Company Equipment Yes No Don't know Do you have someone accountable for the assets of your company? Do you have controls over the movements of your company equipment? Have you completed a recent inventory of your company equipment? Do you have current maintenance contracts for your company equipment? Security, both internal and external is important to the running of any organisation. Theft, malicious damage, physical abuse, etc. can all have an effect on how a business functions. Simple measures for the examples below can be put in place and assistance is often available from government agencies to ensure greater security and awareness to the problems this issue can cause a business. Security Yes No Don't know Is there a security system installed? Do you have a security policy? 10

11 Security Continued Do you have an entry procedure policy for staff/visitors/customers/contractors Are contractors checked fully (i.e. company as well as each individual)? Do you check references fully? Do you regularly check the integrity of external fences and doors? Information technology is central to most business/organisation success. The threats to computers and the systems controlled by them, are well documented and in most cases easily combated. It is important that staff are informed of the dangers and systems to protect your IT are put in place. Information Technology Yes No Don't know Are your IT systems critical to the running of your business? Do you regularly backup your information? Do you hold a copy of the backup information off-site? Do you have IT maintenance staff or a maintenance contract? Do you have a tested IT disaster recovery plan? Is your computer anti-virus software up to date? Are computer errors and logs adequately monitored? Are documented IT security policies and procedures in place? Are all computer users fully aware of and internet usage policies? Do you know how many platforms/servers/applications or operating systems support critical business functions? Is your company system part of a larger network? Do you know how long it would take to recover IT functions? 11

12 Many businesses/organisations maintain hard copy data. This data is vulnerable to loss or damage by fire, flood, theft, loss etc. As with electronic data, it is important to protect this information. Paper Documents Yes No Don't know Do you copy/backup your information? Do you store your paper documents in reinforced containers? Do you have copies of your files and accounts at a separate location? Is someone responsible for the upkeep of your files and accounts? Do you make sure that you have a clear desk policy? A business/organisation can be affected by events out of their control, disruption to suppliers and customers can affect service delivery. This risk can be assessed and procedures put in place to minimise the effects of these disruptions. Alternatively if your business is involved in a crisis, good communications and liaison with suppliers/customers will enable you better respond to that crisis. Suppliers Yes No Don't know Do you have the correct contact details for all your suppliers? Are the above details held in more than one location (preferably off-site)? Have you identified alternative suppliers? Do your key suppliers have a business continuity plan? Customers Yes No Don't know Do you have the correct contact details for all your customers? Are the above details held in more than one location (preferably off-site)? Do you have any key customers who you will need to be in constant contact with during a crisis? Would it affect your business if one of your key customers went out of business? Do your customers have a business continuity plan? (They may require that in future you have a Business Continuity Plan) 12

13 The location of your business can have a bearing on how you respond to a crisis, or how an external crisis affects you. Is your location part of a complex, e.g. shopping centre, trading estate; is it near an industrial site; located in a flood plain, etc. Location Yes No Don't know Have you thought about the types of risk that might occur due to the actions/operations of other businesses near to you? I.e. industrial, sewage works, risk of pollution etc.? Have you thought about the types of risk associated with environment? E.g. Water, climate, forestry etc.? Do you have regular contact with neighbouring businesses (e.g. local business forum)? Do you have the contact details with businesses in your area? Are you aware of any emergency response procedures specific to your location? (Control of Major Accident Hazard sites; shopping centre evacuation procedures; industrial estates, etc.) Insurance Yes No Don't know Do you have sufficient insurance to pay for disruption to business, cost of repairs, hiring temporary employees, leasing temporary accommodation and equipment? Do you have copies of your insurance company's details in order to contact them immediately at the time of the incident? Are copies of your insurance policies and insurance contact details held off-site? By completing this checklist you will now have an insight into what may be required by your business/ organisation to better enable it to survive an emergency. It is worth considering assembling a business emergency pack (battle box), in which you would keep the information you would require should there be an emergency and entry into your premises is denied. The next stage of the process is for a business/ organisation to write a business continuity plan. The information compiled in completing the checklist has given you the areas that need to be addressed in order for them to recover far quicker and with fewer losses than a company who may disregard the process, thinking 'it would never happen to us.' A business continuity plan combines all the elements of the checklist but is structured in such a way to give an overview of the complete process. This process details and co-ordinates how a business/organisation responds to crisis from management level down through the workforce. It outlines the responsibilities and actions of staff involved in a crisis and also through business impact analysis highlights the risks most likely to affect your business. Businesses should ideally have a business continuity plan in place and the procedures detailed should be tested. Business continuity can be seen as safety net for businesses. Even though there are costs involved, it is well worth having such plans as it can save a business during an incident and help it react in an ordered and timely matter. For support on all aspects of continuity planning please feel free to call an advisor on and we can work with you to put the measures in place that can make your business truly resilient. Alternatively, visit our website at www. for comprehensive advice on business continuity. 13

14 References 1. data/file/61216/how-resilient-business-disaster.pdf 2.

15 Challenge Pulsant to fulfil your business aspirations Contact Routes Sales Available: 9am - 5pm Monday Friday Telephone: sales@ Accounts Available: 9am - 5pm Monday Friday Telephone: accounts@ Project Management Available: 9am - 5pm Monday Friday Telephone: pmteam@ Find out how we can help your organisation, call or visit www. Cadogan House, Rose Kiln Lane Reading, RG2 0HP info@