Business Continuity Management

Last month the Chartered Management Institute published its seventh annual survey of managers who were aware of specific Business Continuity Plans (“BCP”) covering critical business activities in their organisations. The survey, which is supported by the Cabinet Office, interviewed over 750 managers working in the public sector, large and small private-sector businesses and voluntary and not-for-profit organisations. The results provide little comfort for business owners, customers and stakeholders.

Over the past seven years, there has been virtually no change in the number of organisations with BCPs. Despite 76% of organisations reporting that Business Continuity Management (“BCM”) is important to them, only 47% reported the existence of any significant BCPs – down from a peak of 51% of organisations in 2005

The main drivers for BCM are corporate governance and, for public sector organisations, the Civil Contingences Act 2004. Pressure from customers is an important driver for private-sector businesses. Since May 2006, local authorities throughout the UK have been required to promote BCM to businesses and voluntary organisations in their communities. As you might expect, the survey showed that larger organisations (62%), i.e. with more than 250 employees, were more likely to have BCPs than smaller organisations (33%), i.e. less than 50 employees. Disappointingly, given the rapidly growing dependency of public bodies on the voluntary sector for services delivery, the survey showed that only 40% of these organisations had any form of Business Continuity Management.

There is a continuing mismatch between organisations’ anticipation of disruptive events, their planning and their actual experience of such events. For example, the loss of IT and the loss of people were the two most commonly reported disruptions in 2007/8. 73% of organisations indicated that the loss of IT services would have a significant impact on costs and revenues. However, only 39% of organisations have BCPs that address this threat while 43% reported actual disruption in the year. Similarly, 59% of organisations believed that the loss of people would have a significant impact on their costs and revenues. Yet, only 29% of surveyed organisations planned for the loss of people whereas 35% of organisations experienced actual disruption in the survey year.

Of the organisations that do have a Business Continuity Plan, only one-third actually test their plans. Of those organisations that do test their BCPs, three-quarters of them reported that short-comings had been identified leading to improvements in their planning.

Developing a Business Continuity Plan is an internal insurance cost for any organisation. The process enables managers to identify various risks and cost impacts and, where appropriate, commercial insurance cover can be arranged to mitigate much or all of the costs and loss of revenues. Increasingly, the UK insurance industry is prepared to lower its insurance premiums for those organisations that have formal BCM processes.

The key messages emerging from the survey are that all organisations should have a Business Continuity Plan and that much remains to be done to encourage organisations in both the public and private sectors. It is also important that IT and communications systems intended to support remote working in the event of a disruptive event must be in place and fully tested before any disruption actually occurs. All Business Continuity Plans must be fully tested.

We have developed templates, checklists and management workshops to help businesses develop their Business Continuity Plans and IT Disaster Recovery Plans.  Sandy Pratt, our Director of Technology Consulting, has considerable experience of Risk Management and Business Continuity Management and will be delighted to discuss our article. You can contact him by emailing him at Sandy.Pratt@4-consulting.com and you can click here to view his profile.