“Since 2001, in my varied role at the firm, I have helped the partners to manage the risks of compliance and operations. Business continuity is always there at the back of your mind, but Covid-19 has been a game-changer in risk terms . . .”, commented David Downham, Practice Director and Risk Manager at Bowling & Co.
Let’s start with some background on risk management and planning.
Business continuity is a key phrase often quoted whenever a business, large or small, contemplates updating or testing their disaster recovery plan – sometimes referred to as a business continuity plan (BCP). A well structured and detailed BCP will have at its core, robust risk management principles.
However, for a new business, developing a BCP would probably not even be considered a priority by the owner(s), until of course, the business encounters its first unforeseen disaster – the regrets of not creating a BCP will hit home and become a hard lesson to learn.
The usual risk suspects
Most BCP documentation will include the usual types of risk in various scenarios: such as fire, flood, theft, and temporary business disruption situations, like the computer network or telephone system being down. But, as we all know now, as the dawn of the new year of 2020 arrived, a very unusual suspect joined the lineup.
No one saw it coming
What the textbooks, politicians, academics, and global population in general never saw coming, was the Covid-19 pandemic – certainly not in terms of the scale and speed of it spreading, like some unstoppable juggernaut. And I’m certain that almost every BCP, in every business throughout the world, would not have included a risk suspect of a global pandemic. Ten out of ten if your BCP did. Going forward, this particular suspect is going to be a permanent feature of all BCPs.
When the world realised that Covid-19 was a real and a huge threat, not only to human lives but the global economy too, business continuity and risk management, took on a whole new priority for risk managers. And the reality finally hit home with the shutting down of almost all businesses globally on an unprecedented scale never seen before. The new buzzword was ‘lockdown’.
Our firm, like many others, had to make the difficult decision to close our office premises, literally overnight, following the government’s lockdown announcement on March 23rd, 2020. Our senior management team held a conference call that very evening and a small dedicated skeleton task force attended the office the following day to deal with priority tasks. The night before, our HR team contacted all staff , to advise them that the office would be closed until further notice and importantly, not to travel to the office. Note: Ensure you always keep personnel records up to date with contact telephone numbers for all staff; an absolute must in the situation we faced.
“We now find ourselves all working remotely, attempting to carry on “business as usual”, but it feels more like “business as unusual”, added David, “. . . and the key elements for any business to survive in these unusual times is allowing themselves to be adaptive, accept environmental change and using the right communication tools. Technology is at the heart of that.”
We had comfort in that we had a BCP in place, containing all the right information, contact numbers, and key suppliers – bank, insurance, utilities, IT, telephones and so on. The scenarios that the BCP did not contain were of course, what to do in a lockdown and how to deal with a global pandemic. These are things we have had to learn to come to terms with. But we kept calm and carried on.
Before we look at how to cope with the Covid-19 lockdown and dealing with the remote working of staff, let’s take a look at the basics below on what a BCP should contain.
What should a typical BCP include?
Your version of a BCP may, of course, be quite different depending on the type, size, and location of your business:
- Key contacts in business (include at least two telephone numbers for each if possible): include management, accounts, IT and department heads
- Key responsibilities of each management contact
- Cascade list – a sequence of who contacts who, in order, depending on the type of incident
- A priority list of functions and detailed risk assessment – you should document key roles/departments in the firm – for example, accounts and IT network – then for each function. Have risk assessment scenarios on how each function would continue to work if the system or premises were not available
- Risk evaluation – this should be a schedule listing potential scenarios of risks (IT network issue), and risk rating each, showing measures to be taken to manage them
- Testing record – a schedule of annual tests working on either real or simulated scenarios; keep testing so you know the BCP works when you really need it.
This part one in a two-part article covering the changing business continuity and risk landscape. In part two, I will talk more deeply about specific aspects of a BCP – including, but not limited to, agile working, security and technology.
Stay connected with us – part two coming soon!
Website content note: This is not legal advice; it is intended to provide information of general interest about current legal and risk management issues.