Planning for an emergency may soon become law for all, so what should businesses be doing to comply. Alan Williamson explains
Draft legislation, tighter regulation and improved industry standards are redefining the extent to which all UK organisations are expected to plan for an emergency.
Recent high-profile events, including blackouts in the UK and US, the Sars virus, acts of terrorism and flooding have underlined the growing need for effective emergency response, business continuity and crisis management.
Simply having a business continuity plan may no longer be sufficient. Organisations should ensure it is regularly tested and refined, that it accounts for the availability and responsiveness of critical services and can be implemented effectively from the board down.
A 2003 Airmic survey revealed that risk managers considered business continuity management to be their most important concern over the coming year.
A collaborative risk management standard was launched in September 2002 by the Institute of Risk Management (IRM), Airmic and Alarm, the national forum for risk management in the public sector. This is considered a seminal work for the risk management profession in all sectors and is to be adopted as a European standard of best practice.
The proposed legislation (see below) to develop regulation and new business continuity best practice standards means that organisations can expect to be under pressure from all sides to have a business continuity plan (BCP) that measures up against all these benchmarks.
Business continuity management (BCM) is not a one-off project, but an iterative process requiring ongoing commitment in terms of time, effort and money.
Rehearsing the BCP helps to embed it within the organisation and enables participants fully to understand its purpose and role, and also their role within it. It is an effective way of identifying errors or gaps that need to be rectified, and to ensure the BCP is at its most effective. A Chartered Management Institute survey in March 2003 found that over 80% of UK firms testing their BCPs revealed shortcomings, and one in six failed to address these in the long term.
In addition to rehearsal, the BCP can benefit from being regularly audited to identify gaps and areas for development and to produce an action plan for improvement.
An integral part of any BCP is crisis management. This is developing into a separate discipline as senior management and board members require ever more sophisticated tools and techniques to assist them in the strategic management of a crisis.
A crisis will differ from an incident in that it is often a strategic issue, which may not necessarily affect the day-to-day operation of an organisation.
Crisis management plans need to be accessed quickly and effectively under the most difficult of circumstances. Plans should include key actions for team members in associated timeframes, as well as providing an effective and workable structure for internal and external communications and media management.
The plans should also be sufficiently flexible to incorporate responses to specific issues to which the organisation may feel exposed, such as reputation, product recall or fraud. A fully developed plan can be embedded and maintained in much the same way as a BCP, through a combination of training and auditing to ensure a current plan and a confident, skilled team.
Alan Williamson is UK leader of Marsh's risk consulting practice
The Civil Contingencies Bill
The draft Civil Contingencies Bill, launched in June this year, aims to replace current unstructured emergency planning legislation and strengthen the framework for co-operation between responders in an emergency.
The Bill is in two parts. Category 1 responders are public sector services that are key players in the management of an emergency. Category 2 responders are both private and public sector services who manage the provision of services.
Organisations in both categories have clearly defined expectations and responsibilities. For Category 1 responders these include risk assessment, planning arrangements, planning and testing continuity of own services, sharing information, co-operation and promotion of business continuity management to local businesses.
Existing regulation already requires Category 2 responders to have clear, comprehensive and validated continuity plans. The new legislation would require responders to co-operate and share information with Category 1 responders and to attend a multi-agency forum to develop civil protection plans.
Following 11 September, the FSA reviewed the business continuity arrangements of 12 major financial groups, following which it published a set of high level principles for financial sector business continuity.
These principles state that the FSA will not take a prescriptive approach to business continuity management (BCM), but there will be ongoing dialogue with firms' about their continuity arrangements. The primary responsibility for BCM will rest with firms' senior management.
The FSA also issued a consultation paper earlier in 2003 on operational risk systems and controls, revising the text of the senior management regulation handbook.
The handbook now contains a greater level of detail on the responsibility of regulated organisations with regard to business continuity.