Range of threats to business continuity
There are many types of threats ranging from terrorism, environmental disasters, epidemics, fires and explosions to information technology problems. In order to continue to operate a normal service it is essential to have considered the plans and measures needed to deal with such situations and to ensure all employees are familiar with them.
A survey of company executives gave the top eight risks which they felt posed the biggest threat to their business as:
- Global terrorism
- Disruption to energy supply or critical national infrastructure
- Organised crime, particularly fraud
- Market disruption resulting from unexpected global events
- Damage to reputation, causing reduction in shareholder or customer confidence
- Political uncertainty.
In addition, these can be extended to include:
- Environmental disasters such as flood, snowstorms, hurricane, subsidence or landslides, drought, tornado, electrical storms, freezing conditions, fire, earthquake, contamination and environmental hazards
- Organised disruptions such as sabotage, theft, arson, industrial action or disputes, war or acts of terrorism and kidnap of key staff
- Loss of services or utilities including power supplies, water or gas supplies, shortage of oil or petrol, telecommunications service, loss of drainage/waste removal
- Equipment or systems failure within the organisation, including IT hardware or software, power, production line, air conditioning, cooling plant failure
- Loss of data or records, disclosure of sensitive information, legal action, negative publicity
- Any epidemic causing the absence of large number of staff or specified key staff
- Other emergency situations such as disruption to public transport or neighbourhood hazards, workplace violence
- Negative publicity or legal problems.
Actions to take
There are two parts to dealing with external threats: firstly, risk mitigation and reduction; and secondly, planning and training to manage a crisis.
Think about what sorts of events are likely to occur, the risks to your business and the possible impact of these. In terms of security breaches and danger resulting from the criminal activities of third parties, how far do you have to go? This clearly depends on your size, location and the nature of your activities but your assessment should consider the possibility of a physical attack as well as one aimed at your IT systems. There are many potential disruptive events and the impact and probability level must be assessed to give a sound basis for your plans.
Then consider how to reduce your vulnerability. Consider physical security, information security and personnel security. This may prompt tighter security around the building, more staff on duty at different times of the day or night etc, better IT back-up systems which are off-site, tighter vetting of new employees or preventative health measures such as ‘flu jabs for all key staff. By focusing on impacts rather than causes, you can plan to deal effectively with an incident, no matter what the source.
Within some organisations there is the need for key management or personnel to travel, for business reasons, to a certain destination. It is worth considering the implication if something disastrous happened to the transport carrier. If you perceive this to be a high risk, you may wish to split the travelling party onto separate flights/trains (bearing the cost implication of course). If this is a low risk, you might decide to contingency plan if something did happen, who would step into action to ensure the smooth running of the business.
Emergency procedures should be put in place. Consider what may happen, who will this involve, who will need information (and what), what should be done by whom and by when. Why not use our emergency procedure checklist as a starting point?
You may need to liaise with the emergency services to agree a strategy, especially if you have a clear health and safety risk in terms of your activities (eg those who store and work with chemicals, or those involved in experiments on animals). It is also worth considering liaising with your neighbours, both in terms of them being aware of any risks and also how you can co-operate with each other to operate smoothly in the event of a disaster.
Managing a crisis
It may be hard to get managers involved in this, and to cover all aspects, so a good tip is to set up a management committee to represent all areas of the business. Then consider the following:
Long before a crisis ever occurs, consider your communications to your employees and ensure that they are all aware of any plans which would affect them in the event of an emergency. Ensure that they know how you will contact them and are aware of possible emergency working locations. Check your contracts and consider a flexibility clause so that your employees understand and accept that in the event of a disaster they may be required to undertake different jobs or to work at a different location. Previous training and the ability to multi-skill can really pay dividends in a crisis. You may wish to also consider having a lay-off or short-time working clause in your contracts, if you feel you may face situations where no work is available for your employees to do.
A system for emergency communication should be set up. This will include details of all employees’ out-of-hours contact numbers and should be kept up to date and accessible off-site. If your premises are destroyed by fire, you will need to be able to contact your employees easily and it may be useful to set up a system for communicating as a group through, for example, SMS texting.
Chain of command
There should be an agreed and well publicised policy on who will take control in an emergency and where they will be located. The chain of command should detail who will be responsible for communicating with employees, customers and the press as appropriate. Similarly, identify not just the contact people, but also any professional training needed in specialist areas, such as PR and media communications. If employees are prepared to handle a crisis they are better able to deal with this, and you are less likely to end up with stress disorders and absenteeism or with an embarrassing/inaccurate portrayal of the incident in the media.
It is vital to draw up plans to allow for the business to continue operating. Such plans should consider all of your likely ‘worst case’ scenarios (see the list above for a starting point!) and how you may handle these
What are the essential components of your business where continuity is vital? A business continuity plan should concentrate on how to minimise any disruption and economic loss in the event of major problems.
Consider not just major catastrophes, but also smaller events (which are probably more likely to happen). For example, if your building is evacuated by the police or fire brigade and staff cannot get back in, what help can you quickly offer those who can’t access their money, keys, phones and travel cards? Do you have emergency communication points where people can phone to get quick, accurate information and assistance?
In the event of not being able to use your normal premises for whatever reason, an alternative emergency venue should be agreed in advance. This could be a local hotel, a village hall or even working from home. If this is likely to last for some time (in the event of say a flood or fire) there will be the need to make alternative arrangements which will be available longer-term.
There will also be crises where the health and safety of employees will be paramount and although the workplace remains intact there are other risks to be considered. An example would be an epidemic of an infectious disease. Not only would you face serious absence levels for a prolonged period but also your responsibilities under the Health and Safety at Work etc Act 1974 (HASAWA) would mean steps may need to be taken to reduce the risk of infection to staff and those with whom they come into contact.
Lack of preparation for losing staff is the single biggest gap in most business continuity plans. Consider the impact on your business of a loss of people, identify the critical services you need to concentrate your resources on and ensure you have sufficient trained staff to cover for missing colleagues.
Data back up and technology failures
The possibility of losing information held on computer should be planned for. A back up held off-site is the safest way to avoid losing everything. This can be done in a secure and confidential way that complies with Data Protection rules.
Consider what to do if your main server goes down, or if your telephone system fails. Can you contact people via another means?
Support and counselling
If a crisis does occur, you will want to have in place mechanisms to help your employees deal with this. Do you have staff who are trained to give bad news? Are they aware of the likely normal reactions to trauma? Do you have an employee assistance programme in place with 24/7 cover?
Ensure that you have emergency procedures in place to help anyone who may be traumatised by any crisis and don’t overlook the people aspects of those who carry on! For example, many people were extremely nervous of travelling by tube following the London bombings. The provision of counselling and support can make a huge difference in terms of assisting people back to work, but simple inexpensive gestures such as the offer of more flexible working hours, or taxis where necessary can help reduce stress enormously in such cases.
Test your plans
Clearly we wouldn’t recommend anything too drastic in order to test your contingency plans but you should ensure that employees are kept familiar with them and that your plans are regularly tested to ensure that they are robust and that they work!
Presenting departments with scenarios and then carrying out test procedures once per year can help to iron out any problems with your plans.
Review and update where necessary
As with all procedures, review these regularly and fine tune them so that if a crisis does occur, you are prepared. Be aware of new risks which face your organisation. Hindsight may be a wonderful thing but, if possible, it’s better not to learn through this!
The following websites provide useful practical advice:
- Centre for the Protection of National Infrastructure
- Also see the Gov.UK website for dealing with terrorism and national emergencies and foreign travel advice
- UK Resilience
- COVID-19: guidance for employers and businesses is produced by the Department for Business, Energy and Industrial Strategy (BEIS) and Public Health England.
An employer that fails to safeguard the health and safety of its workers and visitors can face criminal prosecution leading to imprisonment and, if the case goes to a crown court, an unlimited fine.
The Health and Safety at Work etc Act 1974 (HASAWA) obliges employers, so far as is reasonably practicable, to ensure the health and safety of employees and visitors. Secondary legislation backs this up; the Management of Health and Safety at Work Regulations 1999 require employers to consider all potential dangers to employees and visitors and conduct a risk assessment. Employers are also required to take appropriate preventive measures and establish appropriate procedures to follow should there be serious danger to people working in the business.
Not only is there a legal liability, but do bear in mind that insurers may raise premiums or even refuse to provide continued cover for those without adequate emergency plans. They may also query claims if these show a lack of planning in the event of a major security breach or accident.
The Data Protection Act 2018 governs the security and retention of data.
HR Guidance and Support
For coronovirus articles and links to our webinar recording visit our dedicated page, ‘Coronavirus Advice and Guidance for Employers’. HR Solutions are here to provide you with support and advice on any employment related issues; to find out more call call us on 0844 324 5840 or contact us online.