Few ever plan for the once in a lifetime flood, fire or, at the extreme, outbreak of a pandemic. But sadly, as the past few years have shown, the most unlikely of events can occur to the detriment of those they affect.
Consider the 2005 Buncefield Oil Depot explosion, which caused havoc in Hemel Hempstead. Six buildings were demolished and 30 more needed major repairs before they could be reoccupied. More recently, in March 2022, the damage to Gorseinon Eye Centre after a car driven by teenage girls, under the influence, reversed into the shop front.
Cheshire Fire & Rescue says that following a disaster, 25% of businesses never re-open, 80% of companies that do not recover in a month are likely to go out of business, and 75% of businesses without business continuity plans fail within three years.
Speaking for the Business Continuity Institute, Brian Kinch says: ‘It’s impossible to prevent disaster, but businesses can prepare for recovery through a business continuity plan.’
Prepare for every eventuality?
Kinch believes the business continuity process is not necessarily about planning for a specific event, ‘but about planning for what to do in the event of any incident impacting one or more of four key areas: people, premises, technology and processes.’ For a practice, this might include power supply interruption, supplier failure, denial of access or widespread sickness among staff.
To an extent, this means that a plan should be based on the internal and external issues that are relevant to the practice and interested parties and what they need and expect from the business. From there the plan should consider what needs to be done to keep the practice going (or help it recover). Of course, interested parties goes beyond patients – there are many others including employees, suppliers, landlords and funders. They all still need to be paid, which will necessitate payroll and bought ledger processes being critical to any recovery plan.
Thinking ‘outside of the box’ is essential and practices should not ignore the obvious – fire, flood, supplier insolvency, vandalism, terrorism, equipment failure and telecoms issues. Once identified, it is up to the practice to decide what, if anything, it can do to address these risks.
But thinking wider, Kinch says it is important to recognise ‘each issue has a degree of uniqueness and the main risks, or the significance of impact, may differ from one event to another.’ A chain of events that starts with a technology or a process failure that happens on a Friday may be relatively unremarkable. But if it is on the same day that monthly payroll is run, and prevents salaries from being paid, it may have a very significant knock-on impact for employee financial well-being.
The content of a business continuity plan
At the core of a plan is the concept of risk management. Kinch says: ‘Business continuity is concerned with helping with the capacity to withstand incidents and return to normal operations in an acceptable timeframe and condition, regardless of the issue.’
What is written into the plan will very much depend on each practice and the issues it faces, the needs of interested parties, key processes, identified risks and the controls that the practice subsequently introduces to cope with threats. It is critical to include an assessment of how soon it can recover key processes should disaster strike.
There is no right or wrong way to write a plan as each should be tailored to the practice and not just be a list taken from elsewhere. However, it should include: contact information, contact procedures, guidance and procedures on incident management, and recovery based on circumstances. Irrelevant information that ticks boxes does not add value.
Lastly, it is essential that members of the management team are trained and given support, while the plan itself is regularly tested and updated. The practice should also consider taking out business interruption insurance; this covers the costs of getting businesses running again and may also cover lost profits.
Develop a plan
- Threats to a practice are easily categorised and, although some seem improbable, it is necessary to consider them all. They include natural disasters, theft or vandalism, fire, power cut, fuel shortages, IT or telecoms system failure, restricted access to premises, loss or illness of key staff, crises affecting suppliers, crises affecting customers, crises affecting business reputation or terrorism.
- Plans should be written in plain language so anyone can understand it.
- Build in redundancy without adding too much extra cost. There’s no point renting a spare building or equipment in case of emergency but having a list of suppliers may help.
- Plan for IT failures. Back up data regularly, at least once a day, and keep it offsite and accessible. Consider having mobile phones on different networks with ample data packages, which can be switched in if the landline fails. Set up a piggy-back arrangement with a neighbour for broadband. Work out how calls can be diverted if there is no access to the building.
- Check on the business insurances, noting policy details, and keep them offsite. Apart from the obvious – premises, stock, vehicles, public and employers’ liability – also look at directors and officers’ insurance, keyman insurance, critical illness cover, and income protection insurance.
- Compile a list of emergency contacts that includes key staff, utilities, employment agencies and key suppliers. Include details of the accountant, lawyer, and tax / VAT office (with references).