OHS Canada Magazine

Important considerations for business continuity planning


Avatar photo

September 10, 2020
By Iqbal Anwer

Health & Safety Human Resources Business Continuity COVID-19 editor pick emergency planning

Use lessons from COVID-19 to improve your existing plan

COVID-19 has forced companies to shift their focus and learn how to operate in a pandemic scenario. (Vittaya_25/Adobe Stock)

Do you know the difference between an emergency response plan (ERP) and a business continuity plan (BCP)?

The ERP lays out how to safely, effectively and immediately respond to an incident, whereas the BCP prepares how to continue business operations afterwards.

More pointedly, an ERP would cover how you respond to an office being on fire; the BCP tells you how you will continue to provide your minimum required services without your office.

In my experience, most large and mid-size organizations have a fair understanding of ERP, whereas BCP is a new subject to them.

Either it is not formally written down or, in some cases, they have a written plan, but key personnel are unaware of it.

Advertisement

Pandemic effect

The COVID-19 pandemic has forced organizations to shift their focus and now industry is learning how to operate amid a pandemic scenario.

It is high time to develop and/or update your BCP to make operations more resilient.

Business continuity planning is essential for all types of organizations — be that in the service or physical products sector.

While we see a high turnover in all industry segments, reliance on past corporate memory is not always effective.

Developing a BCP

Make sure you develop a written BCP and it is shared among management personnel of your organization.

The BCP may contain proprietary information, so portions of it may be retained by executives only. However, line management should be aware of the BCPs existence and have access to those elements they will be expected to be directly involved in.

The BCP should not only be stored in head office but should have secondary storage locations, however all copies must be controlled.

The following should be included within the plan, with reference to ISO 22301:

  • Identify a credible scenario:

    Identify situations that can make it difficult or impossible to carry out critical functions of your business. At a minimum consider the following:

    • unavailability or loss of key personnel (as a result of a pandemic, airplane crash, security event)
    • loss of facilities (including power outage, flooding or fire)
    • loss of IT services or infrastructure (internet outage, cyber-attack, viruses)
    • loss of internal or external supplies (infrastructure or services).

  • Identify interdependencies and impact on business:

    Include business impact due to the unavailability of one function or resource. Make it tiered — such as what will be the impact on your business if your fabrication shop or head office is unavailable for one day, one week, one month and/or forever. Similarly, consider this for your key personnel and IT resources.

  • Determine acceptable downtime:

    Determine the acceptable downtime for each critical function and identify tiers. Based on these tiers, response levels and personnel responsible should be identified.

  • Plan to maintain operations:

    This should identify the workaround solutions to maintain the continuity of operations. Solutions identified may also be tiered and list the decision makers and alternate decision makers. Some examples are below:

    • using a manual invoice generation process when the IT system is down
    • use of mobile data package and tethering if wired internet connectivity is unavailable
    • outsourcing and contingent workforce, sub-contracting
    • list of key critical functions and minimum number of personnel
    • work from home while head office is unavailable
    • alternate sources of supplies and equipment, pre-negotiated rates and contracts
    • location of data backups and backup sites, and who should know how to access it
    • contact information for emergency responders, key personnel and backup site providers.

  • Training, maintenance and testing:

    At least on an annual basis, your ERP and BCP must be reviewed and updated. Turnovers and transfers of personnel require updating those responsible and their contact details. At least on an annual basis, conduct simulations of both ERP and BCP with various scenarios. This will help you to continually improve.

The current pandemic can be used as an opportunity and may identify improvements in your existing BCP.

Iqbal Anwer, CRSP, is a safety professional based in Calgary and principal consultant of Arfmaz Corp.

Stories continue below
Print this page

Related Stories