It’s hard to think about planning for a crisis while we’re in the middle of a global pandemic. Just surviving the impact of lockdowns is a struggle for many businesses. But imagine what would happen if, on top of everything else, you had a major data breach. Or there was a terrorist attack. Or one of your key people had to take a month off work, unexpectedly. For many businesses, already weakened by the impact of COVID-19, a further crisis could be devastating.
Business continuity planning means identifying the worst-case scenario, and planning for it, so your business can continue to operate through the crisis. It’s often lumped together with resilience planning – but I think of them as different. Resilience means you can withstand your walls being battered. Continuity is what you do when the walls have fallen down around you.
1. Plan for the worst-case scenarios
Scenario planning is all about channelling your creative pessimist. It’s not fun to do, but it’s hugely important. Bring together people from different areas of your business and brief them that they should think the unthinkable. This is not an exercise for the faint-hearted.
List as many different scenarios as you can think of. Nothing should be off the table here. I’ve had discussions with my business partner about what happens if we’re both in the same plane crash, for example. (The answer – we have an amazing team around us who could pick up the business and run with it.)
Group these scenarios by potential threat to the business. For example, a data breach is a threat that every business should plan for. But not all breaches are equal. A breach that exposes non-financial data for a small handful of customers would be a lower threat than a major breach affecting all customers and involving sensitive or financial information. Think about threat impact, rather than category. I think in terms of three threat levels: what could destroy the business; what could materially damage the business; what would be a nuisance but ultimately survivable?
Identify and list each scenario. Don’t focus on the plan to address them all yet. I find that if you think of a scenario and then immediately force yourself to come up with a plan to deal with it, it distracts you from pulling together a full list of what could happen. It could even put you off thinking about the worst scenarios, as they’ll seem too hard to deal with.
2. Identify critical business areas and people.
Next, identify the key areas of the business, what function they play, and how critical they are to the operation of the business. If you are technology-driven business, and your platform is taken down by hackers, could you function, and, if so, for how long? Connect these areas of the business to the scenarios you identified in step 1.
Think about whether there are any people in each business area you couldn’t function without. It might sound harsh, but the ideal answer to this question is “there are no people I couldn’t do without”. Everyone in the business should have a deputy who could carry on if they were unexpectedly taken out of the business, including the business leader. We can learn from the army here, which operates a principle of training ‘one up’ - training to be able to do the job of the person above you. In a combat situation, it could be vital.
Most organisations have had to rethink whether their office buildings are critical in the last six months, so this is probably something you have covered. But if you run a business that is reliant on one particular location (a shop, for example, or a studio) you might need to consider what you’d do if the building was taken out of action by fire, or terrorist attack.
3. Create your continuity plan.
This is the hard bit. Connect the scenarios with the critical business areas and people, and then think about how you could survive the scenario without the critical people or business function. I’d do this in a separate workshop, or it could feel overwhelming.
Inevitably, part of this phase will include taking business action to make the plan workable – changing processes or structures, updating technology, and rethinking team roles. Possibly it will include making changes that could prevent the crisis in the first place.
You should come out with a workable plan to address every scenario you’ve come up with.
4. Stress-test the plan.
Most business continuity plans are theoretical. You don’t want to find out your plan has gaps in it during a crisis. Put it through its paces. Test the back-up technology; close a building unexpectedly; give your critical team members a week off. Make it as realistic as possible, and give your teams first-hand experience of what it would be like to manage a crisis. That way, you’ll spot the holes before the crisis hits. Importantly, review what happened, and learn from it so you can improve.
Your business continuity plan is an important first step in preparing for a crisis. Once you’ve completed it, you’ll also need to think about how to build resilience, in your business, your processes and your people; and how to put together a crisis management plan that includes how you’ll communicate with your teams, your customers, and the public through the crisis. Separate topics, for another day.