The aim of this section is to provide an understanding of how to develop and use your business resilience plan. It is intended to answer such questions as:
- What are the key elements of a business resilience plan?
- Why is it important to involve others?
- How do you plan to collect the information?
- How will you develop your plan?
- How will you share your plan with others?
Key elements of a Business Resilience Plan
Now that you have assessed your business’ resilience, you will have a better idea of how your plan for the future might take shape. You should know:
- What your business’ critical activities are
- What risks you face and what type of disruption would pose most problems
- Where the business is vulnerable
- How decisions are made
- Whether there are any “single points of failure” (for example, a member of staff with essential skills or authority) that need to be compensated for
- The risks and opportunities presented by the supply chain both upstream and downstream
- How shortcomings might be perceived by customers and the implications of this
- Where new opportunities for the business might lie
The Importance of Involving Others
Imagine you are a Premier League football manager trying to coach your team to the title. Implement a playing system without understanding the strengths and weaknesses of your players, ignore what your scouts have to say about the opposition, fail to ask which stars are tired or carrying injuries and disregard the weather forecast on match day and you could find yourself with a one-way ticket to relegation.
Involve your staff in creating the plan to ensure that they have a vested interest in it and that it represents what they know about making the organisation more resilient to disruptions and capable of improvement. You should have already canvassed your staff in collating the data in the previous sections, but now is the time to delegate specific roles and responsibilities in order to develop the working document that will become your business resilience plan. The last thing you want is to develop a plan that ends up sat on a shelf and is never consulted by anyone, and you certainly don’t want only one person to be responsible for keeping it up to date across all aspects of the business.
It is extremely dangerous for managers to assume they know everything that happens in their organisation, even in a relatively small enterprise. That’s why it is important to involve others in both the development and testing of any plan. You don’t want to rely on what you think happens in given scenarios, but know what happens in them from day-to-day.
Planning to Collect the Information
This will depend on the type of business you are running – whether large or small, the type of industry and the complexity of the business structure. A sole trader, for instance will have a much more concise plan for collecting information than a team of 50 selling a broad range of products with an ever- expanding supply chain. But there are a number of key points that are applicable across all organisations:
- Assign clearly defined roles and responsibilities – not just in assessing continuity and crisis management but in gathering data. Use points of contact from different departments and suppliers to share the load of accumulating the information you need.
- Apply deadlines that are appropriate to the amount of work needed to be done. Too little time and you might get a poor response or distract employees from more pressing commitments; too much time and a threat may strike before the plan is completed/opportunities to improve the business might be missed.
Outline a schedule for putting the plan together, including details of how frequently information should be updated once the initial plan has been created. On a 6-monthly basis perhaps? Or every time a new client or supplier begins to work with the business? - Utilise existing resources – business plans, current continuity and disaster recovery plans, market research documents, relevant trade news, and so on.
- Plan training – whether it’s workshops, round table discussions, risk assessment tutorials or SWOT analysis sessions it is important to get the most out of the exercise of accumulating information.
- Put in as much work as the company can justify – a business resilience plan could conceivably take minutes or months to put together. It is down to the management team to address the perceived value of improving a business’s resilience and allocate the appropriate resources to putting a plan into place. Small businesses may only have one plan to tackle all of its requirements and operations, while a larger firm may require many documents from different business departments at different locations facing different threats and disruptions. If you are the owner of three clothes shops, for example, you may find it necessary to identify the different resilience issues at each location.
Developing a Resilience Plan
Here’s a list of some of the things you may wish to include in your plan, however depending on you and your organisation there may be a lot more or a lot less needed.
1. The purpose of the plan.
2. Links to other plans / policies if applicable (e.g. business plan, communications strategy, continuity plan, fire evacuation procedures, etc.)
3. A clear statement of support for the plan by senior management (if applicable)
4. Who has overall responsibility for the plan.
5. A description of your business, its aims and objectives.
6. A description of the premises, facilities and operations covered by the plan.
7. The main risks you have identified and the impact these could have on your business.
8. Details of any assumptions that have been applied.
9. Information on interdependencies identified.
10. The actions you have identified to prevent impacts on your business and reduce the impacts, should those risks manifest – this may include a pre-agreed list of priorities (customers, products, services, or distribution channels for example) and how quickly these will be recovered after an incident or impact. You may wish to link to individual system recovery plans – for instance how to restore data or transfer telecommunications to an alternative location. Smaller businesses may incorporate key information within the main document.
11. Specific roles for individuals (and, if possible, deputies if individuals are unavailable). For instance briefing and contacting staff, removing valuables, calling in external support) You may wish to consider check lists for these.
12. Consideration of resources designated staff may require to fulfil their roles as defined.
13. Notification process for key members of staff.
14. Up to date contact information for staff.
15. Where you will manage any response from if access to your business premises is denied.
16. Where key documents, records or data that will be needed during an incident (remembering that IT networks may be impacted) or that are essential for continuing business operations can be held securely and accessed as required.
17. Guidance on communications (including current contact details for parties identified) both during and after any incident.
18. Details on how “out of hours” incidents will be managed.
19. Details on how any incident will be monitored and what records should be kept.
20. Inventory of equipment, stock, etc. Ideally this should be supported by photographic records to support any required insurance claims procedure required.
There’s a lot to include here, but you’ll want to make sure it is straightforward and easy to read. Remember, this is going to have to be read by everyone or at least a significant portion of people in your business, and they will all need to be able to understand it and be able to give their feedback on it. A long, dry, academic paper certainly won’t engage your staff.
Sharing Your Plan with Others
It is important to build in time to review the process of creating a resilience plan, sharing it both internally and externally with partners, supply chains and potentially customers. Gaining feedback not only enhances the sense of ownership amongst the people involved, but it may not be until a plan is completed that new threats or opportunities become apparent.