We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Having and promoting business resilience

Published
1 Nov 2013
Topic
Preparing Scotland
Having business resilience

Understanding the organisation

Strategic aims and critical activities

Increasing Business Resilience should begin with a clear understanding of the organisation concerned including its strategic aims, how it is organised and its culture. Where an organisation’s aims are expressed in general qualitative terms it will be helpful to convert them to specific key outputs or activities that can be quantified, as this will be needed to prioritise recovery targets and resource requirements at a later stage. However, this should not ignore important quality measures and intangibles, such as maintaining the confidence of customers, service users and other stakeholders, or maintaining the value of brands and reputations.

If the organisation has a declared set of aims and objectives, or similar statements, these can be used as a basis for this work. This will be helpful as it is important that all relevant business and service activity that the organisation is engaged in is considered, and that partial assessments are avoided. The key objectives and values of the organisation will be used to identify which processes are the most important to its wellbeing, to justify decisions about what to prioritise if some activities must be organisation’s aims are understood, arrangements should be made to identify the critical activities and processes that are needed to deliver these, and the key outputs that embody them. In smaller organisations this may be less difficult as the person developing Business Resilience may already be familiar with the operations of the whole organisation. Larger organisations will need to involve the necessary specialists from different parts of the organisation.

If the organisation has a declared set of aims and objectives, or similar statements, these can be used as a basis for this work. This will be helpful as it is important that all relevant business and service activity that the organisation is engaged in is considered, and that partial assessments are avoided. The key objectives and values of the organisation will be used to identify which processes are the most important to its wellbeing, to justify decisions about what to prioritise if some activities must be halted, and to gain the support of senior management and the resources they control, for building Business Resilience.

This work will require an understanding of the inputs, infrastructure, and processes on which the critical activities depend. These may include:

  • Raw materials and consumables – such as clinical instruments and dressings in a health centre or food ingredients in a restaurant
  • Infrastructure – such as transport systems, IT networks, and utilities
  • Machinery and equipment – such as communication or manufacturing equipment, hand tools, and computers
  • Skilled staff, or those with special authority – such as police officers with specialist roles, social service staff who are trusted by the communities they work with, or engineers with expertise in a particular technology
  • Premises – such as specialist manufacturing facilities, office space, secure areas, and warehousing
  • Knowledge – such as subject matter expertise, legal requirements, knowledge of operating procedures, information about service users and customers

These factors are some of the organisation’s dependencies, but it may have many others, both internally and externally, that support its critical activities. These can include suppliers, contractors, competitors, government departments, regulators, trade bodies, public or media perceptions, pressure groups, and others. It is important to identify these at an early stage and to take their influence into account. Involving representatives of relevant stakeholders, where this is practical, will make this process more effective.

Business impact analysis

Having identified their critical activities, organisations should determine what the impact would be if these were disrupted or lost. This stage is known as Business Impact Analysis (BIA). This will provide information to inform later decisions about strategies to develop resilience and will enable the organisation to focus on areas that most threaten the continuity of its priorities.

The potential causes of disruption to an organisation’s operations are almost limitless, however the impacts of any disruption are far fewer. For example, loss of critical system(s), denial of access to premises, damage to premises or loss of key staff and key resources can all produce similar disruption regardless of the cause. It is helpful to rate the impact of disruptions upon the critical activities and key outputs of the business in the event of an emergency. This may be done with a simple high, medium, low scale or by scoring them, from 1 to 5. The impact of potential disruptions should be measured with reference to the following (non-exhaustive) list of factors:

  • implications for output or service delivery
  • financial cost to the organisation
  • health, welfare, and safety of stakeholders
  • statutory duties and legal obligations
  • environmental implications
  • resources required to remedy the situation
  • impact of disruption on partners
  • reputation

The Business Impact Analysis should also take into account the time sensitivity of each business function and process, how urgent it is to restore based on the consequences for the organisation, as this will also influence the recovery objectives.

Recovery objectives

Ideally, after normal activity has been disrupted, it would be restored quickly and fully to the same state, or perhaps even an improved state which takes into account changes in circumstances. Speed of restoration is rarely possible when the disruption is serious or complex, so organisations must decide which parts of their operations must be restored first, to what level of activity and how quickly. The terms ‘recovery time objective,’ ‘maximum tolerable outage’ and ‘recovery point objective’ are sometimes given to the target recovery times and the required level of function for a particular activity. These targets will be affected by a combination of high level aims and by practical operational considerations, which will include interdependencies between different activities and the particular circumstances of the disruption.

Some activities, such as saving lives or complying with legislation, will clearly take precedence over other activity but in other circumstances critical tasks may not be immediately obvious and should therefore be highlighted during planning. In addition to setting recovery objectives for activities, the resources necessary to accomplish these should be understood so they too can be identified.

Risk assessment

Once an organisation has identified its critical activities and conducted a business impact analysis, it should carry out a risk assessment in order to identify and understand events that could disrupt these activities. This should include risks arising both externally and internally. Risk Managers within organisations and multi-agency risk assessment groups in each Regional Resilience Partnership are likely to provide complementary perspectives on risks which can be used to provide a comprehensive risk picture.

The risk assessments carried out and published as Community Risk Registers are discussed in 'Preparing Scotland Risk & Preparedness Assessment' guidance. These will assist organisations to identify major external hazards and threats that could lead to emergencies. Category 1 responders will also have access to other information about external risks that is not available to the general public because of its sensitive nature. These will be important to Category 1 responders who are required to have arrangements both to maintain priority activities and to respond to emergencies.

All organisations will need to interpret information from external sources and apply it to their particular situation. They are likely to have to adjust risk assessments to take account of particular local factors relating to their activities, such as local geography, infrastructure, and climate.

Organisations will also need to conduct risk assessments of potential internal events which could be disruptive. Often these will be based on the processes they carry out, and the hazards associated with them, for example being dependent on a particular piece of equipment or a single team to provide an output or service. Some risks will combine external and internal features such as a dependency on a single supplier or subcontractor, being a target for crime or disorder, or the unpredictable availability of some resources.

The ‘FIRM’ Risk Scorecard, which considers Financial, Infrastructure, Reputational and Market Place drivers of risk, and is a feature of Enterprise Risk Management, provides a useful approach to considering a broad range of risks. Enterprise Risk Management also provides useful ways to identify, analyse and assess risks to provide a deeper understanding of how risks and processes are interconnected, including:

  • Hazard and Operability studies (HAZOP)
  • Failure Modes Effects Analysis (FMEA)
  • Political Economic Social Technological Legal Environmental (PESTLE) analyses
  • Inspections and audits
  • Flowcharts and dependency analysis

Although the Civil Contingencies Act is concerned with the resilience of organisations faced with emergencies as defined in the Act, organisations will want to consider a wider range of circumstances. This is because the indirect effects of emergencies might still be important and might be similar to disruptions caused by more routine risks.

Back to top