Business disruptions can impact organisations of any size in any location. Because of the relatively stable environment in Malaysia, companies have not felt pushed into preparing for crisis or contingencies. However, we are witnessing increasing incidents globally, from pandemic flux, accidents, fire, sabotage, natural disasters and cyber security attacks. In order to protect your company from profit losses, reputation damage and customer loss, a company must create a Business Continuity Plan (BCP) to maintain business functions or quickly resume operations in an event of a major disruption.
The BCP shall include the organisations’ possible threats, the emergency management procedure and strategies to enact.
Here are five key steps to develop a business continuity plan:
Firstly, identify all the internal and external threats to your business that could cease regular business. A risk assessment and business impact analysis shall be conducted to determine the types and scenario of crisis that could cause disruptions to your business operations.
Threats identified may include a global pandemic, natural or man-made disasters, intentional sabotage and cyber security attacks. Understanding the financial impact of downtime and how much time you need to recover due to a catastrophe should not be overlooked.
Evaluation of Threats
You may not be able to predict every type of incident that could threaten your business, but you can develop a plan that covers a range of incidents. Once your top threats are identified, evaluation should be conducted in relation to each, with various views from Division Heads to Technology experts amongst others being considered.
For example, a disease outbreak can cause significant issues for companies, namely by requiring employees to work remotely. It is critical to establish a strategy that enables employees to continue to function in safety.
Work from home, opens you up to cyber vulnerabilities and other technical challenges. You will want to verify that you have the tools, technology, capacity, and security measures in place to support a large remote workforce in the event of a need for quarantine.
Develop Strategy and Procedures
The safety, health and well-being of your employees is your first and foremost concern, but after the dust has settled, the goal of the Business Continuity Plan is to get you back in business as soon as possible. The BCP will typically be prepared in two folds being the Incident response plan and the Recovery plan.
The Incident response plan contains the information you will need to respond immediately before and after an incident or crisis, this may include an immediate response checklist, emergency response team, evacuation plans, communication protocols and contact lists.
Secondly, the Recovery plan outlines the cost-effective strategies you will need to take to resume or get your business running again after an incident or crisis. It is the strategy and the step-by-step procedures that need to be taken for an effective response that safeguards the interests of the company, and stakeholders.
While the final product varies for each company, the Business Continuity Plan should be sufficiently flexible and reflect the company’s size, complexity, and business activities.
Communicate and Integrate
Designated people such as a dedicated Business Continuity Plan team should be put in charge of the plan. At the same time, knowledge about roles, responsibilities and emergency responses need to be communicated to staff and integrated into your company’s policies and culture so that everyone knows what it contains, how to use it and where it can be accessed in cases of emergency.
Test, Train & Maintain
Running test exercises can minimise the impact of disruptions. Whether it is after a training exercise or a real event you have experienced, it is pertinent that you update your plans and procedures to make sure you address any weaknesses in the plan and to ensure that details remain current.
The maintenance of the Business Continuity Plan is as important as implementation whereby plans are to be amended on a real time basis as Management pivots to address situations that arise.
All businesses, regardless of size and sector should have business continuity management embedded in their organisation, this is especially true for essential services and sectors that meet legal requirements.
While in other industries it is deemed to be best practice, a Business Continuity Plan can help protect a company in the event of an outbreak by creating a sound framework for responding to crisis and preserve peace of mind for business owners and employees.
Written by: Heng Cheng Zin, Associate Director, Internal Audit & Governance Advisory, Baker Tilly
Heng Cheng Zin has over 14 years of Internal Audit, Internal Control Review, Risk Management and Compliance experience. She has been extensively involved in managing and executing Internal Audit and Compliance review engagements throughout Asia, Australia, America, Europe and the Middle East Region. Zin is well-equipped with broad knowledge in the area of governance, risks, controls, business process design, policy and regulation compliance.