We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Having and promoting business resilience

Published
1 Nov 2013
Topic
Preparing Scotland
Having business resilience

Developing business resilience

Business continuity plans in context

The ability to respond to and recover from disruptive incidents and emergencies is an essential part of any resilience capability. These parts of Business Resilience may be referred to in varying ways, but here we use the term ‘business continuity’ plans. A Business Continuity Plan provides the framework upon which an organisation can mobilise its response to a disruptive event or emergency.

But a plan, on its own, will be of limited value. For the response to a disruption or emergency to be effective, plans must be combined with the other components of the organisation’s response capability, including suitably trained staff, physical resources, information resources, response management structures, authority to act, a clear understanding of the aims and priorities of the organisation, systems for activating and standing down the response, etc.

For some organisations, it will be helpful to include sections on these within the plan, as well as addressing them when building a culture of organisational resilience and when training and exercising. The process of plan development itself is an important route to engage with staff about Business Resilience and to develop the organisational culture which will be necessary when the plan is activated.

Planning is also discussed in 'Preparing Scotland: Scottish Guidance on Resilience'.

Content of the plan

The Business Continuity Plan should address the following issues (note – this list is not exhaustive and will depend on the context):

  • Assessing disruptive incidents, confirming the nature and extent of an incident
  • Safety and welfare of those affected, staff, public, and any special requirements
  • Invoking the response arrangements, including the plan itself, criteria, and authority to deploy staff and use other resources
  • Coordination – who has the authority to make which decisions? How will decisions be communicated?
  • Objectives – what are the recovery point and recovery time objectives? What organisational aims and objectives should be prioritised?
  • Solutions – how both the cause and consequence of the disruptive event will be managed; procedures and activities for delivering the response and meeting the recovery objectives
  • Personnel – who is involved in delivering the response, how they are called out, their roles, and required actions
  • Maintaining a response for longer periods and standing down the response.
  • Communications – with staff, service users/customers, stakeholders, the public; identifying a suitable spokesperson and use of informal communication, social media, and media advice
  • Record keeping – a method for recording key information about the incident, actions taken, and decisions made

The plan should have regard to the organisation’s recovery objectives and, in turn, the key resources which underpin the delivery of its critical functions. These include:

  • People – essential personnel to deliver agreed levels of service, with appropriate skill‑mix and sufficient numbers
  • Data – critical information and documents about contracts, operating procedures, clients/service users/customers, and staff
  • Facilities – working accommodation and alternative arrangements.
  • Communications – information and communications technology requirements
  • Equipment and technology – storage, operation requirements, and trained operators
  • Supply chain and sub‑contractors – suppliers/sub‑contractors, contractual arrangements, contact details, and available alternatives
  • Stakeholder interests – staff, owners, customers/service users, local community, political/legal interests
  • Stock and other physical resources needed to produce outputs or deliver services

The nature of an emergency may require that some functions must be enhanced or conversely reduced or suspended. The Business Continuity Plan should consider the operational processes for implementing decisions regarding functions. For example, if a function:

  • needs to be enhanced in the event of an emergency, where would the additional resources come from?
  • needs to be scaled down, how would the demands on it be managed?
  • is withdrawn, how would staff and customers be informed?

Developing the plan

In developing the plan, consideration should be given to:

  • keeping the plan and the arrangements it describes short, simple, and user‑friendly
  • ensuring the assumptions upon which it is founded are realistic and consider the findings of the Business Impact Analysis
  • references to other sources of information and supporting documentation – databases, key contact lists, resources, suppliers
  • what action plans and checklists are required
  • ownership of key tasks – these should be reflected in job descriptions
  • document management procedures
  • effective communication with stakeholders and, where appropriate, the media
  • aligning with relevant contingency arrangements both internal and external to the organisation

The structure, content, and detail of the Business Continuity Plan will depend on the nature of the organisation and the risk environment in which it operates. In particularly large or complex organisations, it may be necessary to have discrete local or departmental plans which integrate into one high‑level plan.

Using the plan

It is impossible to anticipate all the circumstances of a disruption and to plan for these in detail. Trying to do so will consume resources without necessarily increasing Business Resilience. Plans should be designed for use in a flexible way, allowing for the lead responder to use judgement to select which elements of the plan to apply and, where necessary, to improvise alternative solutions based on a knowledge of the organisation’s strategic objectives.

Implementing the plan will require a combination of generic management skills to carry out planned responses, and the skills of crisis management. PAS 200:2011, Crisis Management – Guidance and Good Practice, regards a crisis as “inherently abnormal, unstable and complex” and discusses the skills needed to manage such events. This includes management in the context of:

  • previously unrecognised risks or situations
  • too much, too little, ambiguous, or false information
  • threats to the norms and values of the organisation (and sometimes to its existence)
  • increased pressure magnifying differences in leadership style and culture
  • trade‑offs and conflicts of interest
  • close external scrutiny

Depending on the particular disruption or emergency, different combinations of crisis management and other skills will be required. When developing plans, and when training and exercising Business Resilience arrangements, organisations should engage with staff who have experience and skills in crisis management, as part of a programme to consider both more predictable and less predictable events.

Back to top