We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Having and promoting business resilience

Published
1 Nov 2013
Topic
Preparing Scotland
Having business resilience

Reviewing and maintaining business resilience

Managing the resilience programme

In order to be effective, resilience arrangements must be regarded as an integral part of an organisation’s normal management processes. The commitment of senior managers is crucial in this because:

  • decisions about attitudes to risk and service prioritisation can only be taken at the top level
  • they have control over resource allocation
  • the Chief Executive and senior management team are responsible for ensuring that effective governance arrangements are in place
  • they strongly influence the culture of an organisation

Experience has shown that it is helpful to give a member of the senior management team overall responsibility for Business Resilience and/or emergency planning. By being so appointed they will act as the champion for the processes, increase the profile of the disciplines, and ensure that decisions are made at the appropriate level. They will also ensure that the programme of work to develop and maintain Business Resilience has sufficient breadth to encompass all those whose skills and knowledge are needed to make it successful.

It is important to gain the support and endorsement of the Chief Executive and senior management team at the end of each stage of the planning cycle. Critically, it should be the responsibility of senior management to provide the formal assurance that arrangements are robust and meet the requirements of corporate governance and the law.

The best approach for programme management will vary by organisation, but the programme is most likely to succeed if an overall coordinator is appointed and reports directly to the senior managers responsible for Business Resilience and/or emergency planning. The coordinator(s) should have:

  • a good understanding of the critical aspects of the business and its key personnel and dependencies
  • an understanding of business continuity, integrated emergency management and related methodologies, and awareness of emergency management issues
  • an awareness of relationships with other responders and specialists in related fields
  • good programme management, communication, interpersonal and leadership skills

In addition, it should be made clear that Business Resilience and emergency planning and response are part of every manager’s routine responsibilities.

For larger organisations, it may be appropriate to consider establishing a team or network of responsible managers, who will be required to dedicate appropriate time to Business Resilience and have this reflected in their job descriptions. The team should be drawn from managers within key divisions and/or locations within the organisation. It should contain the right mix of skills and experience and comprise individuals with the authority to make decisions and commit resources.

Reviewing and updating business resilience arrangements

Business Resilience arrangements, including business continuity plans, should be reviewed regularly as circumstances change:

  • as part of any significant change to operational arrangements to ensure that plans remain appropriate, e.g. when there are changes to equipment, buildings, processes, suppliers, etc.
  • when the organisation’s strategic objectives, risk treatments, or the role of a particular department is changed
  • following resilience exercises, activation of plans or ‘near miss’ events, to incorporate lessons that have been identified
  • to ensure arrangements remain current and can respond to changes to risk assessments
  • when new risks or response options are identified

Management sign-off and review

The managers with overall responsibility should ensure that there is a process in place to monitor and review the effectiveness of Business Resilience arrangements. Senior managers should consider the appropriateness of the Business Resilience policy, objectives, and scope, and should approve these. They should also determine whether work on Business Resilience is being carried out in a satisfactory way and whether it meets the objectives they have agreed. When they are satisfied that the required quality has been met, the appropriate senior managers should sign off these documents.

The Business Resilience arrangements should be fully documented to enable management review and internal audit. This will include:

  • the Business Resilience strategy and the scope and objectives of the Business Resilience programme
  • critical activities and key outputs of the organisation
  • Business Impact Analyses
  • Risk Assessments
  • Recovery Point Objectives
  • Business Continuity and Incident Management Plans
  • Incident Response Structure
  • Training schedule

There should be appropriate document control arrangements for these items to ensure that relevant versions of applicable documents are available at points of use and revisions have been incorporated.

Exercising business resilience arrangements

Arrangements should be put in place to exercise business continuity plans to ensure they remain effective. Exercising is discussed more fully in Preparing Scotland: Scottish Exercise Guidance but the following points should be considered.

When developing an exercise programme, Category 1 responders will need to consider:

  • risks, impacts and capabilities to be examined and the appropriate scope for exercises
  • types of exercises to be used, e.g. tabletop, live-play, single or multi-agency, and at what level
  • the involvement of senior management in developing, executing, and quality-assuring the programme
  • the process for delivering exercises, including resources and expertise for planning and release of staff for participation
  • the relationship between the Business Resilience exercise programme and the exercising of emergency plans
  • how lessons will be identified and used to improve resilience arrangements, e.g. through debriefing and the production of exercise reports

While there is an extensive number of scenarios and possible responses, the list of impacts and capabilities is limited. Generic issues to address will include:

  • denial of access or damage to facilities
  • loss of key staff/skills
  • loss of critical systems
  • loss of key resources
  • mobilisation (invoking the plan and assembling key players)
  • coordination of the response and decision making
  • communications (both internal and external with a range of stakeholders and the media)
Back to top