Do you have a plan in place?

Business continuityIn March 2011, the Chartered Management Institute (CMI) published ‘Managing Threats in a Dangerous World’, a joint report with the Cabinet Office, the Business Continuity Institute, Aon and BSI, looking at the state of the UK’s business continuity management in the previous 12 months – including in the health and social care sector.    

This annual report (which has been published since 2001) is especially important, as the adoption of business continuity management (BCM) frameworks has been actively promoted by government policy in recent years to cope with issues such as the 2008 fires at both the Royal Marsden and Great Ormond Street. For example, the Civil Contingencies Act (2004) introduced a requirement for all frontline responders – including the emergency services – to develop and maintain BCM arrangements. From 2006, the Act also placed a duty on local authorities to promote BCM to business and voluntary organisations.

The health sector
Yet despite this, and given the critical services supplied by many of those in the health and social care sector, the findings for the sector were disappointing. Although 81 per cent of those surveyed reported that their senior management view business continuity management as important or very important, just 64 per cent of managers working in health and social care sector said that their organisations had BCM plans – lower than in local and central government, finance, insurance and utilities. A further 14 per cent didn’t know whether their organisation had set crisis plans they should be following – meaning that plans, even if in place, would be likely to be ineffectual.

This low level of planning could help explain the impacts that unexpected and damaging disruptions have had on the day-to-day operations of the sector over the past year. Particularly concerning is the fact that, as technology becomes more and more integral to how we work, it has brought additional risks with it. More than half of the health and social care sector managers surveyed reported that cyber security threats are increasingly posing a serious risk to their operations, with 29 per cent having come under a cyber attack of some sort in the past 12 months and more than one in five (21 per cent) losing confidential information.

However, traditional business continuity issues also continued to cause problems, with weather and illness presenting challenges for managers. The heavy snow last winter unsurprisingly caused disruption to almost all (98 per cent) health and social care organisations; the volcanic ash cloud impacted 41 per cent; and the influenza epidemic also caused problems for 71 per cent (18 per cent higher than for organisations in general).

Positive signs
More promisingly, the findings also showed that the recent media focus on high profile business continuity failures has had a real impact on the health and social care sector’s business planning. Some 10 per cent of managers feel that Deepwater Horizon has strengthened the case for their organisation to develop robust business continuity management plans; and 22 per cent believe WikiLeaks has caused their organisation to revisit their security arrangements.

These positive signs are backed up by findings of those who have already put a business continuity plan in place, with the report showing clear advantages for organisations that have had to deal with crises. Of those who had to activate plans across the UK in the past 12 months, 84 per cent agreed it reduced disruption and 77 per cent stated that any cost in developing plans is offset by the business benefits they bring.

Effective planning
So, with the benefits clear, and more and more organisations putting a BCM plan in place, what should health and social care organisations do to make sure any plan put in place – or already in place – is as effective as possible?

Firstly, it needs to be remembered that BCM has to be viewed as a holistic activity, focusing on the business or organisational impact, rather than concentrating on specific risks, so potentially missing the bigger picture. As such it needs to form part of a wider management strategy and have specific senior management level accountability and ownership – though may be best delivered by a team of specialists from across your organisation. One way of achieving this might be through using BCM based on a common framework, such as BS 25999.

Once into the the planning phases of any BCM project, it will be important to ensure you define and agree its scope and objectives before you begin – including agreeing limits of responsibility for inter-dependent elements – as clarity and comprehensiveness will be vital to delivering an effective plan. At the earliest possible stage, make sure you identify as complete a picture of your organisation as possible in order to fully understand the risks you face. Process mapping could be a useful tool for this, helping you indicate the inter-relationships of people, equipment and internal and external activities.

Assessing risk
When it comes to starting to assess risk, remember not just to look at the likelihood of failure and the business impact of failure – you also need to consider the time period of failure. Many organisations can sustain service failures for short periods without a critical impact, but the time period will be different for each service and user. Make sure as part of your planning you also review which suppliers are critical to your operations and ask whether they have BCM in place too.

Recent high profile disruptions such as snow and volcanic ash affected many organisations’ logistical operations, and a poorly organised supplier could undermine much of your risk planning work. Bad weather and cyber and information security threats had a real impact on organisations in the UK last year, so make sure any plans you develop cover both.

Who does what?
The key to an effective BCM plan should be to explain who needs to do what, who takes responsibility and who deputises for key roles. Bear in mind that people facing a crisis will not have the time to read detailed reports, so consider using checklists, flowcharts and other visual devices, to make the plans as easy to follow as possible. As part of your plans, make sure that you also develop a clearly defined approach for responding to the media at times of disruption. This isn’t just something for national or global brands – knowing how to deal with local and regional media can be just as important.

Finally, remember that BCM plans are not static – as the rise of cyber threats has shown, new issues arise all of the time that will need to be planned for and considered. Any BCM plan needs to be reviewed regularly, checking it remains relevant to the organisation’s current operations and takes account of new developments. Crisis plans should also be tested regularly to ensure they are comprehensive and robust – a quarter of organisations with crisis plans have never tested them, running the risk that the plans don’t work when they are most needed.

Further guidance
This guidance is obviously not exhaustive, and I would recommend that anyone interested in starting or improving their BCM process visits where you can download a free copy of the ‘Managing Threats In a Dangerous World’ as CMI’s Checklist on BCM, part of our range of over 200 Management Checklists, usually only available to members. There are also a number of other sources of information and advice worth consulting, such as the Cabinet Office’s National Risk Register, BS 25999 (published by the BSI Group) and the Business Continuity Institute’s Good Practice Guidelines, many of which are available online.

In post-recession, “age of austerity” Britain, accountability and transparency are key to success. All organisations have a responsibility to their stakeholders, customers, employees and partners to develop plans to ensure they can continue to operate through difficult or uncertain circumstances. This is particularly vital in the health and social care sector, which delivers such important services, and often works within large or highly interconnected organisations that can put it even more at risk from disruption.

It’s the duty of all managers within the sector to ensure that they have proactive plans in place to deal with the potential threats that could impact their business. Anticipating and planning for threats will help drastically reduce the negative impacts on your organisation, should they occur, as well as helping you recover faster from any ill effects. If your organisation has not already fully embraced BCM, make 2011 the year that you do.