Understanding emergency, contingency and business continuity plans
Examining the nuances between business continuity planning, disaster recovery and resilience.
I am often asked the difference between emergency, contingency and business continuity plans? The answer is that the very act of working through the process of planning for unwanted events, whatever they may be, is the most important factor. However, there are key nuances between each which, if not addressed, can seriously jeopardise businesses ability to operate.
Unequivocally, emergency plans are required where we need a response by one or more of the emergency services. Emergencies, by definition, are events which tend to happen quickly, rapidly getting worse e.g. a small unchallenged fire, can grow significantly. However, on invocation of the plan, the situation stabilises and then sees a gradual improvement.
Contingency plans are similar, where the event happens suddenly and can get rapidly worse. However, they do not require the attendance of the emergency services e.g. IT outages. Examples where a contingency plan could be required include, but not limited to:
- loss of power
- industrial action
- loss of IT.
Similarly, the event stabilises and gradually improves. However, both of these examples last a relatively short time span; possibly a few hours or in the worst cases, days. Rarely do we see protracted emergencies or crises. Conversely, the recovery time for business as usual to be restored, can be weeks, months or even years. Yet, much time is spent planning for ephemeral emergency or crisis events and relatively little time on recovery. This incongruous nature of planning, can lead to the potential long term damage of the business.
The 1980s was known as the ‘decade of disaster’. The second half of the eighties was a particularly catastrophic period in the UK, with incidents such as those shown in table 1:
The main concern around that period was that emergency planning legislation dated back to the Emergency Powers Act 1920. Emergency planning in the UK was focused on the cold war, concerning a nuclear attack. Following cessation of the cold war, the planning assumptions had to be changed immeasurably to address more modern day risks e.g. terrorism, climate change and the increased use of IT.
The Civil Contingencies Act 2004 replaced the outdated legislation and for the first time, legislation put a mandatory requirement on emergency responders to take account of business continuity to ensure that the emergency services could keep functioning when faced with unwanted events such as flooding of their premises. Moreover, the legislation also put statutory requirements on local authorities to provide guidance to local businesses on business continuity, especially small to medium enterprises.
This was an important aspect as, it is widely reported that following the Irish Republican Army (IRA) bombing in Manchester in 1996, around half of the businesses who did not have suitable plans in place, failed to exist within the following twelve months. Consequently, business continuity planning is a vitally important aspect of running any business, no matter how large or small.
In 2018 there were two unrelated major fires in Glasgow city centre which directly affected businesses in close proximity to the premises. The state of the structural integrity of the buildings meant that exclusion zones around the premises completely stopped access for the business owners and their customers for a protracted period.
Where an individual is personally impacted they can clearly see this as a disaster. This is especially so where there is death within friends and family. However, the word disaster is often maligned e.g. ‘my hair is a disaster’ or ‘my dinner party was a complete disaster’ so when is a disaster actually a disaster? A disaster is a very personal thing!
The ‘Bradford Disaster Scale’ is utilised to determine when an event is officially a disaster. However, this is rarely used and in the world of 24/7 worldwide news coverage, it is the media who tend to declare when an event or incident is a disaster. This is not based on any algorithm or other model, but sensationalism, in an attempt to sell more newspapers.
Therefore, if we look back in history and even in more recent times, we find it littered with examples of organisations who failed to plan for the unexpected and ended up going out of business. The trick, obviously, is to convert what we know (hindsight), into what could potentially happen in the future (foresight) and to plan accordingly on what could potentially happen.
Clearly, only an emergency can lead to a disaster; however, not all events are designated as a disaster. Therefore, there is a need to identify the risks to the business – what can go wrong, how can it go wrong and what will happen if it does go wrong. Indeed, we can also argue that something seen as a risk to one person or organisation may indeed be an opportunity for others. Those businesses who plan accordingly, can readily identify the business opportunities open to them.
Resilience is an interesting turn of phrase which has become increasingly more used in modernity. We have heard the word utilised a great deal more over the past decade, by organisations such as the BBC News channels.
Therefore, what does ‘resilience’ mean and why is it becoming more widely used? A useful working definition taken from the English Oxford Living Dictionary is ‘the capacity to recover quickly from difficulties; the ability of a substance or object to spring back into shape (elasticity)’. We can, therefore, deduce, that resilience and business continuity planning are intrinsically linked and that careful planning and preparation can assist in achieving a resilient organisation.
International standards such as ISO 22301 are useful tools for organisations to assist in the planning and execution of a resilient organisation. ISO 22301 sets out a valuable framework to assess the impact that having a crisis event would have on the organisation. Whilst risk is a key component of the process, the focus is mainly on managing the consequences of crisis events and for restoring normality within a set timescale, or indeed, defining a new normality.
Failing to plan for crisis situations could easily lead to a failure of the business. It is, therefore, essential that businesses identify their vulnerabilities including loss of IT and to plug any gaps before it is too late. Every day, we should think…what would we do right now if x,y or z happened? If you cannot answer that question, then you need a plan.
Too many organisations and indeed, senior executives and board members, have misconceptions around business continuity, disaster recovery and resilience, all of which are in essence the same thing. Consequently, it is time to ensure that the following words are wiped from the vocabulary:
- ‘It won’t happen to us’
- ‘We will cope, we always do’
- ‘We are too big a company to fail’.
Do so at your peril!!!
Gillies Crichton. MSc. GIFireE. MBCI. SIRM – group head of assurance for AGS Airports Limited, based at Glasgow Airport