Business Continuity, Recovering and Bouncing Forwards
Nathan Doran has fulfilled a number of Business Continuity and Resilience roles over the last decade, leading large programmes in complex and varied environments, across a number of sectors both nationally and internationally. In light of Covid-19, he shares his advice on business continuity and recovery planning, and how businesses can be more prepared for next time.
By Nathan Doran
Should we have planned for a pandemic?
While it may be difficult to plan for every possible disruptive scenario, particularly one on such a large scale as presented by Covid-19, it should have been possible to plan effectively for many of the impacts Covid-19 may have had on your business.
To keep Business Continuity planning as simple and targeted as possible, it should be approached with the measurable impacts to the business in mind, irrespective of the cause of the incident; Business Continuity Plans should generally plan to mitigate loss of / disruption to key categories, including:
- Sites / Buildings
- Critical Services (IT, utilities, equipment)
- Supply Chain
Several of these key categories were impacted by Covid-19, particularly supply chain disruptions and reduced staff numbers, or safe ways of working directly, or as a result of increased absence levels. Organisations who invested time in effective business continuity planning, ahead of Covid-19, will have been able to mitigate some of the operational impacts of this unprecedented scenario more effectively than those who did not.
When should we be thinking about our recovery?
The right time for recovery planning may differ from business to business. While it might seem a strange time to think about recovery planning, good practice suggests it should begin before the peak of the crisis. Given this may well be the busiest time operationally, the strategic and tactical layers of the business must support the operational areas to plan for recovery. At the time of writing, many organisations have been planning or even implementing their recovery for many weeks already.
While it might seem a strange time to think about recovery planning, good practice suggests it should begin before the peak of the crisis.
It is important that you consider the triggers for your recovery phase, and they are likely to include:
- The phasing of any associated lockdown measures
- The safety of working environment for employees and customers
- Adequate staffing levels to cope with fluctuating demands and the speed of recovery
- A stable supply chain capable of supplying adequate and necessary goods and services
- Commercial and financial viability of recovery being assured
It is also critical to consider what the ‘new normal’ will look like post-event. Following any business continuity incident or invocation of Business Continuity Plan, the post incident operating model may differ from before the incident. For example, specific to Covid-19, social distancing measures will mean working and operating environments will look and feel very different for a long time. There may also be some positive outcomes identified during the pandemic; remote working for example may prove to be far more viable than previously assumed, allowing mitigation of some potential issues that may be caused by social distancing measures.
As is said ‘the best-laid plans…. often go awry’, so flexibility in your recovery plan is key; internal and external factors may mean you have to adapt and amend your hard-worked recovery plans. This is particularly key in the current situation, with the potential for any phased relaxation of lockdown restrictions to be reversed in the event of a second wave of infections; therefore, be prepared to take steps backwards in your plan as well as forwards.
How can we be more prepared for next time?
An essential step in the business continuity process is the completion of a ‘post-incident/invocation review’, without completing one, it is unlikely you will fully understand what worked well and what did not.
Ask yourself and your teams the following key questions about your response:
- What went well? Was this in line with prior planning or ‘on the fly’?
- What did not go well, and why? What do you think was the root cause of the problem?
- What has changed as a direct result of the Covid-19 situation that you want to maintain? What has changed that cannot be maintained?
- If you could start back at the beginning of the pandemic what would you do differently and why?
The invaluable output of this process is identifying the lessons learned and doing something about it; very little value will come from the lessons unless material actions are attributed to each, and a clear action plan put in place.
With an unprecedented incident such as the scale of Covid-19 , there is likely to be an element of acceptance (from employees and customers) of some mistakes being made during the response, however, if the mistakes are repeated in the event of the same or similar incident occurring, acceptance is more unlikely, therefore, lessons learned need to be embedded into new or existing processes.
Practising the following lesson learning cycle will support this process:
Identify the lesson → recognise the cause → devise a new operating process → practice the new process → embed and sustain the new process → measure success of changes.
For business continuity professionals the silver lining to any incident is the ability to learn lessons and embed the findings to create a more resilient and agile organisation which is better prepared for the next disruptive event.
It is not about merely bouncing back from an incident, but bouncing forwards.
MBCI CBCI SIRM M.SIRM
Nathan has fulfilled a number of Business Continuity and Resilience roles over the last decade, leading large programmes in complex and varied environments, across a number of sectors both nationally and internationally.
He has been a Member of the Business Continuity Institute (MBCI) since 2012 and is actively involved with the BCI as a Membership Assessor for MBCI applications. He is also a Member of the Institute of Strategic Risk Management (M.ISRM).