Questions a charity trustee should ask … what’s our Business Continuity Plan?
Disasters happen … and usually at the worst possible times and when you are the least prepared!
A business continuity plan (BCP) will help you identify what things might go wrong and what you can do in the interim until a resolution can be found.
Often, the business continuity plan is seen as something that is “owned” by the IT team, but in reality, it’s something that everyone in an organisation should have an input to and understand. A comprehensive plan should cover all the activities in the business and include all the software and physical assets that people use to carry out their functions. For example, if you didn’t have access to your offices, would you be able to pay staff and suppliers? Keeping a cheque book safe and secure offsite, might allow you to continue until full service is resumed.
As charities, our end-users are often the most vulnerable members of society, and so not being able to carry on our service delivery during times of failure, would have a negative impact on their lives and the work of your charity.
If you already have one, brilliant!
Here is a checklist of things to look at to make sure your existing BCP is fit-for-purpose:
When was the last time the BCP was updated? Organisations are continually changing and evolving, and a BCP needs to adapt to the requirements of the business in the same way. Ideally, a BCP should be reviewed every 6 months, or after a significant change in business process.
When was the last time the BCP was tested? Having a BCP is just half of the task. A plan should be regularly tested to make sure that it will work effectively. All parts of the BCP should be tested annually. Sometimes, that can be a difficult task, especially if your plan involves people working remotely, so a desk-based test can be a good alternative where you create a number of scenarios to exercise the various parts of your plan without disruption.
Does the plan include more than just IT assets? A good BCP should cover all the assets and processes in a business. Often it’s the small items that people use on a daily basis which get forgotten. For example, do you need a specific card reader or dongle to access your online banking? Is this stored in someone’s desktop drawer and not accessible if you can’t get to the building?
Does the plan include a Maximum Tolerable Downtime (MTD) and Recovery Point Objective (RPO)? MTD - for each process or asset, how long can the business be without it until irreparable damage is done; RPO – The amount data you can lose in a disaster without being able to recover it.
Is the communication tree detailed? How will the disaster be communicated so that all staff, volunteers, stakeholders and end-users are aware of there involvement and notified when the service is up and running again?
Does the plan include return to business as usual (BAU)? The process of returning to BAU can be more difficult than invoking the original BCP, to it’s important to know what the steps will be in order to return to BAU after the disaster.
Who can invoke the BCP? Only certain people within the charity should be able to invoke the business continuity plan and this should be a measured decision. Often the process of moving back to BAU can be extensive, so the decisions to invoke should be not be taken lightly.
NB Your IT team should be taking backups of your data and storing them offsite, either in secure storage or with a reputable cloud-based provider. It is worth checking the last time the backups of your systems were restored. Just doing backups is not enough, and I have seen many occasions where it was not possible to restore data and all the business information was lost.
You really need one!
You can get external help to build a business continuity plan and this is an excellent step if your charity doesn’t have the necessary skills to put it together. You will be guided through the business continuity process and helped to identify all your business assets and processes, as well as identifying the risks to each one of them. The output will be a well-constructed BCP that covers all parts of your organisation. There will often be some foundation activities that are required to ensure that data is backed up etc before a reliable plan can be implemented. For example, you may need to scan copies of important physical documents, or make sure backups are being taken. Once this is in place you will have confidence that you are prepared as well as possible. You will also receive guidance on how to test, monitor and maintain your BCP so it remains current.
If you would like to build the BCP, then there are many sources of information and templates available on the internet, along with good sources of online resources and training. It might be worth considering an external training provider to give your leadership team and those involved with business continuity the appropriate background.
A battle box is a case or box which is stored securely offsite, which contains emergency items in the event of a disaster. If there is no access to a building, this box can be retrieved and can form an important part of the business continuity plan. This is not an exhaustive list, as items will be specific for each organisation, but you might consider including the following:
- A hard copy of the BCP
- A communications list
- Any IT backups which allow underlying systems to be rebuilt more quickly
- Cheque book
- Headed stationery
- Copies of important contracts, documents and information
And don't forget that if you need any more information, or would like help transforming your organisation through the use of digital, we can be contacted through the link below.
Neil CullenFounder & Managing Director
Neil is passionate about using technology to improve organisations and help them meet the needs of stakeholders and end-users.