Work can be difficult enough when everything is going to plan. But when a major business interruption strikes the consequences can be extremely serious. To minimise the impact of such problems, says David Adams, you need to cost up an effective business continuity strategy.
The term business continuity (BC) should not be confused with disaster recovery (DR). The latter is now used to refer only to recovery plans for IT capabilities. That is hugely important, of course, but an excellent DR plan won’t help an organisation when its offices have been damaged by fire or flooding; or if, for example, deep snow and/or severe transport disruption means staff are unable to get to work; or if a key supplier has suffered a major continuity problem of its own, or has unexpectedly stopped trading.
As might be expected, larger organisations, particularly in highly regulated sectors, or those that form parts of the UK’s critical national infrastructure (such as public sector, utilities and some financial sector companies), tend to have more advanced BC than most. But over the past decade there has been a steady growth in the number of organisations of all sizes and in all sectors investing more resources in BC. Some have been compelled to do this by changes in regulation. Others have been encouraged by larger organisations to which they provide, or seek to provide, services. Some have been proactive because someone within the organisation has realised the need to address specific risks, from flooding to cyber security. But it is generally the case that many smaller organisations have invested only minimum time and resources in this area.
“You don’t generally see SMEs taking a holistic approach,” says John DiMaria, global product manager for information security and business continuity at BSI Group. “Typically that’s because they lack time and money. Most aren’t doing anything about business continuity unless they have to.”
A complete BC strategy must be holistic, covering a broad range of operations. It must protect and improve the resilience of an organisation’s operations by identifying and managing – or planning to mitigate the impact of – the risks that could cause the most disruption. This may entail creating a business continuity management system (BCMS), which could incorporate use of off-the-shelf or bespoke software to help identify and manage those risks, and to create, review, test and refine continuity plans. The BCMS could be based on the industry standard for Business Continuity Management, ISO 22301. Ideally, the strategy and BCMS should also incorporate measures designed to enhance operational resilience: the ability to alter operations in changing conditions.
As might be expected, larger organisations, particularly in highly regulated sectors, or those that form parts of the UK’s critical national infrastructure (such as public sector, utilities and some financial sector companies), tend to have more advanced BC than most. But over the past decade there has been a steady growth in the number of organisations of all sizes and in all sectors investing more resources in BC. Some have been compelled to do this by changes in regulation. Others have been encouraged by larger organisations to which they provide, or seek to provide, services. Some have been proactive because someone within the organisation has realised the need to address specific risks, from flooding to cyber security. But it is generally the case that many smaller organisations have invested only minimum time and resources in this area.
“You don’t generally see SMEs taking a holistic approach,” says John DiMaria, global product manager for information security and business continuity at BSI Group. “Typically that’s because they lack time and money. Most aren’t doing anything about business continuity unless they have to.”
A complete BC strategy must be holistic, covering a broad range of operations. It must protect and improve the resilience of an organisation’s operations by identifying and managing – or planning to mitigate the impact of – the risks that could cause the most disruption. This may entail creating a business continuity management system (BCMS), which could incorporate use of off-the-shelf or bespoke software to help identify and manage those risks, and to create, review, test and refine continuity plans. The BCMS could be based on the industry standard for Business Continuity Management, ISO 22301. Ideally, the strategy and BCMS should also incorporate measures designed to enhance operational resilience: the ability to alter operations in changing conditions.
Risks and impacts
In some organisations it may be that the CFO or FD plays an important role in driving the BC agenda, in part because they may have a clearer understanding of the impact that a prolonged business interruption could have on the operational and financial sustainability of the business. A CFO may also see some financial opportunities associated with improved BC. For example, insurers may respond positively to demonstrable improvements in continuity planning and risk mitigation.
Whoever is leading the process, how does one make the organisation more resilient?
The first step is to identify processes and interdependencies within the business and with other organisations that enable normal operations. The organisation then needs to examine how these could be affected by risks that could affect it. This can be achieved by undertaking business impact analysis (BIA); and by considering the likelihood of specific risks actually becoming reality.
Steve Mellish runs the consultancy Mellish Risk & Resilience and is a former head of business continuity at Sainsbury’s and a former chair of the Business Continuity Institute (BCI) Board of Directors. At Sainsbury’s he led the development of the retailer’s BC function from the late 1990s onwards, eventually embedding BC within all aspects of business planning and operations. He underlines the importance of identifying interdependencies and considering how they might be disrupted by risks.
He recommends considering the risks that feature in the findings of the BCI’s annual Horizon Scanning survey.
“Risks usually in the top five include IT and telecoms failure, cyber attack, data breaches; and fire or flood causing denial of access,” he says.
Whoever is leading the process, how does one make the organisation more resilient?
The first step is to identify processes and interdependencies within the business and with other organisations that enable normal operations. The organisation then needs to examine how these could be affected by risks that could affect it. This can be achieved by undertaking business impact analysis (BIA); and by considering the likelihood of specific risks actually becoming reality.
Steve Mellish runs the consultancy Mellish Risk & Resilience and is a former head of business continuity at Sainsbury’s and a former chair of the Business Continuity Institute (BCI) Board of Directors. At Sainsbury’s he led the development of the retailer’s BC function from the late 1990s onwards, eventually embedding BC within all aspects of business planning and operations. He underlines the importance of identifying interdependencies and considering how they might be disrupted by risks.
He recommends considering the risks that feature in the findings of the BCI’s annual Horizon Scanning survey.
“Risks usually in the top five include IT and telecoms failure, cyber attack, data breaches; and fire or flood causing denial of access,” he says.
Choosing the right software tool
If an organisation creates a bespoke BCMS it should meet all requirements, including, for example, the ability to make automatic changes to records based on a central HR data repository, as individuals leave or join the business.
Off the shelf tools are cheaper, but may lack the flexibility an organisation needs. “The vendor will say that the software is very flexible, but the system is dictating what needs to go in,” says Mellish. “However, for small organisations, with no experience and limited resources, then possibly it is worthwhile to investigate whether a ready-made system provides what they need.”
He also warns organisations to remember why they are using the software, recalling working with a company that put significant resources into creating a BCMS that would enable the company to attain ISO 22301 certification – but left its actual business continuity capabilities relatively weak. “Having a good BCMS is not the same as having a really good BC capability,” Mellish warns.
Off the shelf tools are cheaper, but may lack the flexibility an organisation needs. “The vendor will say that the software is very flexible, but the system is dictating what needs to go in,” says Mellish. “However, for small organisations, with no experience and limited resources, then possibly it is worthwhile to investigate whether a ready-made system provides what they need.”
He also warns organisations to remember why they are using the software, recalling working with a company that put significant resources into creating a BCMS that would enable the company to attain ISO 22301 certification – but left its actual business continuity capabilities relatively weak. “Having a good BCMS is not the same as having a really good BC capability,” Mellish warns.
“Look at the cost of recovery for your customers, as well as for the business. The impact on your brand reputation is very important”
A smart approach
The results of the BIA process should inform the organisation’s next actions. “The art of doing this cleverly is prioritisation and making decisions about how to recover,” says Martin Caddick, director of business resilience at PwC. “To do this, you need the rest of senior management involved. A smart approach balances investment in business continuity against investment in insurance and risk management – and the CFO should be well placed to do that.”
James McAlister, current chair of the BCI, and director at the consultancy Crisis Prepared, suggests senior management, including the CFO or FD, should try to determine which processes, or product or service offerings, are of primary importance to the organisation. “There needs to be some steering from the top as to what to focus on,” he says. “That’s where working with the financial side of the business can help.
”But how might a BC strategy be costed? A relatively crude starting point is to divide annual turnover by working days to discover the headline cost of a lost day of work, but other elements should also feature in the calculation. What would be the cost to a business of its products or services being unavailable for a certain period of time – if its website is out of operation, or products can’t reach retailers’ shelves, for example? “Look at the cost of recovery for your customers, as well as for the business,” says Alan Prescott-Brann, head of sales for business continuity and resiliency services at service provider Daisy Group. “The impact on your brand reputation is very important."
On the other hand, as Caddick acknowledges, this could be an expensive exercise and smaller organisations will not have endless resources to devote to it. “The danger is that you start doing it by the book and end up spending more time and money on it than it’s worth,” he says. “My advice would be, do it in phases. Have a first phase that takes stock, with a strategic BIA and a current status assessment, looking at how well the business could cope with an incident. See what that tells you, then make decisions about what the cost of this process should be.”
James McAlister, current chair of the BCI, and director at the consultancy Crisis Prepared, suggests senior management, including the CFO or FD, should try to determine which processes, or product or service offerings, are of primary importance to the organisation. “There needs to be some steering from the top as to what to focus on,” he says. “That’s where working with the financial side of the business can help.
”But how might a BC strategy be costed? A relatively crude starting point is to divide annual turnover by working days to discover the headline cost of a lost day of work, but other elements should also feature in the calculation. What would be the cost to a business of its products or services being unavailable for a certain period of time – if its website is out of operation, or products can’t reach retailers’ shelves, for example? “Look at the cost of recovery for your customers, as well as for the business,” says Alan Prescott-Brann, head of sales for business continuity and resiliency services at service provider Daisy Group. “The impact on your brand reputation is very important."
On the other hand, as Caddick acknowledges, this could be an expensive exercise and smaller organisations will not have endless resources to devote to it. “The danger is that you start doing it by the book and end up spending more time and money on it than it’s worth,” he says. “My advice would be, do it in phases. Have a first phase that takes stock, with a strategic BIA and a current status assessment, looking at how well the business could cope with an incident. See what that tells you, then make decisions about what the cost of this process should be.”
CAB Studios
CAB Studios, a creative agency based in the West Midlands, has been operating for 14 years and employs about 30 people. The need to make the business more resilient became clear when it was based in a building that was prone to power supply and internet connectivity problems. “When you’re predominantly in the cloud and selling services that rely on the internet and electricity you worry a little bit about that,” says CFO Matt Wood. Matters came to a head seven years ago, when a power cut lasted for almost two days.
The business also faced risks related to the fact that many staff lived in rural locations, so might be prevented from reaching the office in severe weather conditions. Led by Wood, CAB developed what it called the Shackleton Plan. If the Met Office issued specific weather warnings, all relevant files for individuals working on specific projects would then be downloaded to high capacity computer disks and taken home by employees, so they could work on them remotely, on laptops supplied by the company.
Since then the company has increased its mobile working capabilities: all staff can now work remotely. CAB has also purchased a new office, where the company paid £60,000 to install a 1GB backbone pipe guaranteeing internet access and has back-up generators for use in the now relatively unlikely event of power failure. Clients’ websites are hosted in the cloud under an arrangement with a service provider that means these IT resources are protected from extreme weather and other natural risks; and safeguarded against the service provider going out of business. “If their company went down we’d have 12 months to move away from their cloud services,” says Wood.
The business also faced risks related to the fact that many staff lived in rural locations, so might be prevented from reaching the office in severe weather conditions. Led by Wood, CAB developed what it called the Shackleton Plan. If the Met Office issued specific weather warnings, all relevant files for individuals working on specific projects would then be downloaded to high capacity computer disks and taken home by employees, so they could work on them remotely, on laptops supplied by the company.
Since then the company has increased its mobile working capabilities: all staff can now work remotely. CAB has also purchased a new office, where the company paid £60,000 to install a 1GB backbone pipe guaranteeing internet access and has back-up generators for use in the now relatively unlikely event of power failure. Clients’ websites are hosted in the cloud under an arrangement with a service provider that means these IT resources are protected from extreme weather and other natural risks; and safeguarded against the service provider going out of business. “If their company went down we’d have 12 months to move away from their cloud services,” says Wood.
Shaping the strategy
Organisations may want to bring in additional assistance to help shape the BC strategy. A business could hire a qualified BC manager, and/or engage an external consultant, who could also support an individual within the organisation who is taking charge of the strategy.
In some smaller organisations a CFO or FD might be that person, perhaps because the business can’t afford to appoint anyone new. In other organisations individuals may be brought out of another role – in IT, security, procurement or finance, say – to become the BC manager. “Part of the thinking behind training someone up internally is that it’s easier to learn business continuity than it is to learn your organisation,” says McAlister.
Even if a CFO does drive a BC project, it is important that the process of gathering information about risks and interdependencies within and external to the business involves collaboration from risk owners throughout the organisation. Mellish stresses the value of speaking to risk owners face to face, rather than just submitting questionnaires, as this will help to ensure they provide the necessary information and will also reveal more about the way the organisation works. “You get a clear picture of the potential impact of an interruption, and of time sensitivity to recovery in different parts of the organisation,” he says.
Many organisations will find the ISO 22301 standard useful. Even if the organisation does not pursue formal certification, the standard can help to prioritise potential threats and inform the specification of a BCMS. It also provides a framework for the business to assess the effectiveness of the BC strategy. Organisations can also work towards standards for organisational resilience: ISO 22316 and BS 65000.
For some businesses, regulatory or supply chain pressure may mean the cost of certification is a worthwhile investment. “Having the standard can be a good selling point for organisations trying to get new business, or to maintain business with big customers,” says Mellish. “In other organisations the time and cost required would be better spent on developing resilience capabilities.” He also highlights the value of using the BCI guidelines on BC, which are reviewed regularly in the light of changes in technology, standards and regulation.
Full certification will also usually require use of a BCMS and perhaps of software tools, the choice and configuration of which can also present additional challenges.
Whatever form the BC strategy eventually takes, it should be seen as a long term exercise. “It’s not something you just do once,” says Caddick. “You need to make provision for having it as part of someone’s role in the future. Otherwise it quickly withers away and your investment is wasted.”
He also stresses the importance of considering business continuity when making other business decisions. For example, if the business is consolidating its use of buildings, how will this affect the BC strategy? “You need to factor these considerations into a cost/benefit analysis,” says Caddick. That may be another good argument for the CFO to play an active role within the BC strategy. Whether or not they do, Mellish believes the active involvement of senior management is vital. “It’s about ownership of the programme at the top of the organisation,” he says. “If that’s from FDs or CFOs, fantastic, but ideally the CEO would be involved. In the end, this is all about protecting your brand.”
In some smaller organisations a CFO or FD might be that person, perhaps because the business can’t afford to appoint anyone new. In other organisations individuals may be brought out of another role – in IT, security, procurement or finance, say – to become the BC manager. “Part of the thinking behind training someone up internally is that it’s easier to learn business continuity than it is to learn your organisation,” says McAlister.
Even if a CFO does drive a BC project, it is important that the process of gathering information about risks and interdependencies within and external to the business involves collaboration from risk owners throughout the organisation. Mellish stresses the value of speaking to risk owners face to face, rather than just submitting questionnaires, as this will help to ensure they provide the necessary information and will also reveal more about the way the organisation works. “You get a clear picture of the potential impact of an interruption, and of time sensitivity to recovery in different parts of the organisation,” he says.
Many organisations will find the ISO 22301 standard useful. Even if the organisation does not pursue formal certification, the standard can help to prioritise potential threats and inform the specification of a BCMS. It also provides a framework for the business to assess the effectiveness of the BC strategy. Organisations can also work towards standards for organisational resilience: ISO 22316 and BS 65000.
For some businesses, regulatory or supply chain pressure may mean the cost of certification is a worthwhile investment. “Having the standard can be a good selling point for organisations trying to get new business, or to maintain business with big customers,” says Mellish. “In other organisations the time and cost required would be better spent on developing resilience capabilities.” He also highlights the value of using the BCI guidelines on BC, which are reviewed regularly in the light of changes in technology, standards and regulation.
Full certification will also usually require use of a BCMS and perhaps of software tools, the choice and configuration of which can also present additional challenges.
Whatever form the BC strategy eventually takes, it should be seen as a long term exercise. “It’s not something you just do once,” says Caddick. “You need to make provision for having it as part of someone’s role in the future. Otherwise it quickly withers away and your investment is wasted.”
He also stresses the importance of considering business continuity when making other business decisions. For example, if the business is consolidating its use of buildings, how will this affect the BC strategy? “You need to factor these considerations into a cost/benefit analysis,” says Caddick. That may be another good argument for the CFO to play an active role within the BC strategy. Whether or not they do, Mellish believes the active involvement of senior management is vital. “It’s about ownership of the programme at the top of the organisation,” he says. “If that’s from FDs or CFOs, fantastic, but ideally the CEO would be involved. In the end, this is all about protecting your brand.”
When disaster strikes
BA
In May 2017 a power outage that disabled much of British Airways’ global IT infrastructure led to the cancellation of more than 700 flights, leaving about 75,000 people stranded in airports across the globe over the course of three days.
The following month, the airline announced that the incident had cost the company about £80m in lost revenue, rebooking, accommodation and compensation payments. The outage was the result of a power surge damaging IT equipment at a datacentre near Heathrow Airport – thought to have been caused by a member of staff disconnecting and then reconnecting a power cable.
Talk Talk
In October 2015 telecoms provider Talk Talk’s website was hit by a sustained cyber attack that exposed customers’ financial and personal data. Having been criticised for its handling of initial public announcements and temporarily shutting down its online sales operation, Talk Talk did eventually steady the ship, but estimated that the fallout from the incident had cost the company at least £42m and led directly to the loss of more than 100,000 customers.
Within weeks of the incident it was announced that a 17 year old had discovered a vulnerability on the website, then shared this information online. The vulnerability was then targeted over 14,000 times by hackers.
Toyota
Like many other Japanese businesses, Toyota’s operations were severely disrupted by the earthquake and tsunami that struck Japan in March 2011, which killed almost 20,000 people, and is thought to have cost the Japanese economy about $360bn. The disaster put dozens of businesses in Toyota’s supply chain, which built components like microchips and vehicle body parts, out of action for many months.
Since 2011 Toyota and its business partners have made significant changes in continuity planning, enabling faster switching to alternative sources of components when necessary; and in the reconstruction of facilities to make them more earthquake-proof. When another major earthquake struck Japan in April 2016, Toyota suspended all production at facilities in Japan – but almost all affected premises were able to resume operations within two weeks and some were back online within a few days.
In May 2017 a power outage that disabled much of British Airways’ global IT infrastructure led to the cancellation of more than 700 flights, leaving about 75,000 people stranded in airports across the globe over the course of three days.
The following month, the airline announced that the incident had cost the company about £80m in lost revenue, rebooking, accommodation and compensation payments. The outage was the result of a power surge damaging IT equipment at a datacentre near Heathrow Airport – thought to have been caused by a member of staff disconnecting and then reconnecting a power cable.
Talk Talk
In October 2015 telecoms provider Talk Talk’s website was hit by a sustained cyber attack that exposed customers’ financial and personal data. Having been criticised for its handling of initial public announcements and temporarily shutting down its online sales operation, Talk Talk did eventually steady the ship, but estimated that the fallout from the incident had cost the company at least £42m and led directly to the loss of more than 100,000 customers.
Within weeks of the incident it was announced that a 17 year old had discovered a vulnerability on the website, then shared this information online. The vulnerability was then targeted over 14,000 times by hackers.
Toyota
Like many other Japanese businesses, Toyota’s operations were severely disrupted by the earthquake and tsunami that struck Japan in March 2011, which killed almost 20,000 people, and is thought to have cost the Japanese economy about $360bn. The disaster put dozens of businesses in Toyota’s supply chain, which built components like microchips and vehicle body parts, out of action for many months.
Since 2011 Toyota and its business partners have made significant changes in continuity planning, enabling faster switching to alternative sources of components when necessary; and in the reconstruction of facilities to make them more earthquake-proof. When another major earthquake struck Japan in April 2016, Toyota suspended all production at facilities in Japan – but almost all affected premises were able to resume operations within two weeks and some were back online within a few days.
Further information
Related resources
Online articles
The Library provides access to leading business, finance and management journals. These journals are available to logged-in ICAEW members, ACA students and other entitled users subject to suppliers' terms of use.
More support on business
Read our articles, eBooks, reports and guides on risk management.
Risk management hubeBooks on riskCan't find what you're looking for?
The ICAEW Library can give you the right information from trustworthy, professional sources that aren't freely available online. Contact us for expert help with your enquiries and research.
Changelog Anchor
-
Update History
- 12 Sep 2017 (12: 00 AM BST)
- First published
- 02 Sep 2022 (12: 00 AM BST)
- Page updated with Related resources section, adding further reading on business continuity. These new articles and ebooks provide fresh insights, case studies and perspectives on this topic. Please note that the original article from 2017 has not undergone any review or updates.