The business continuity plan of the future

Published: Tuesday, 05 October 2021 07:59

What information should the business continuity plan of the future contain? Nick Simms considers how business continuity plans need to change in the light of COVID-19 and the widespread ability to work from home.

The business continuity plan of the past was usually predicated on the loss of the building and that only a certain percentage of the staff - usually 20-25 percent of the total - could be accommodated at a recovery site. The remaining 75-80 percent of staff were usually told to go home and wait for further instructions. The business continuity plan, therefore, tended to focus on who would go where and what their priorities and key tasks would be when they got there. Anything that was generic, such as muster points following an evacuation, would usually be contained in a crisis management plan or on a wallet card given to all staff.

Now, largely as a result of COVID-19 (although things were moving in this direction anyway), most people who were formerly office-based can, at least theoretically, work from home - caring responsibilities, space and compliance allowing.

What, then, are the implications for the business continuity plan, particularly for those organizations that have decided that work from home (WFH) will be the default response to a loss of building? You may still need departmental-level plans for high staff absence, technology outages, data losses, and disruption to third party services but what will be in your de facto standard?  Evacuation plans can still be explained in a crisis management plan or a wallet card.

Should the focus now be on what the department should do in the event of the loss of technology (i.e. what do you do while the technology is out and then, what do you do when the technology is restored before resuming normal operations)?  Isn't this likely to already exist in actual or imagined Standard Operating Procedure (SOP) manuals? The same is possibly true for disruption to third party services. Strategies for dealing with data loss or corruption are, perhaps, better initiated from the centre when the nature of the problem is identified.

There is something else to consider too, especially for those who are thinking about operational resilience in its wider sense and not just about business continuity. Should plans of the future be end-to-end along the whole process crossing departmental boundaries? Those who have tried this in the past have, by and large, failed miserably as, although the process as a whole becomes affected as a result of a disruption, the operational response often needs to be at a location or individual departmental level and a downstream activity doesn't need to know the minutiae of what the upstream team is doing to restore the process, just that the process is being restored and that it will take x amount of time and may lead to certain challenges or risks that can and should be determined and understood ahead of time.

The author

Nick Simms is a highly experienced operational resilience and business continuity professional with proven track record of delivering innovative, practical, solutions to time and budget across the financial services sector.