A Business Continuity Plan (BCP) is a framework that ensures an organization can continue operating during and after disruptions such as natural disasters, cyber-attacks, fires, product recalls or other crises.
Given the fact that BI or Section 2 losses of ISR claims account for a significant portion of most claims, a good BCP can be a great tool to give underwriters comfort that an insured understands the risk and would navigate an incident successfully. But like many risk management processes, BCPs can be good or bad. We review these plans for clients all the time and it is fair to say, what we find is wide and varied in terms of the standard and depth of the plans developed. Many are crisis plans, not continuity plans, many have come straight from Chat GPT!
What we find is that very often people get mixed up in the terminology. Confusing crisis plans and disaster recovery plans with business continuity. The graphic below helps with this. To be clear BCP is about handling interruptions to the operations. To make this even simpler it is how businesses ensure they can get their products to customers when an adverse event has occurred.
The Importance of Business Impact Assessment (BIA)
A Business Impact Assessment (BIA) is a foundational step in developing a robust BCP. It involves analysing a business through the whole supply chain to determine the potential impact of disruptions on operations, financial stability, and customer service. Done properly, it starts with suppliers, identifying those suppliers that may cause delays if they have an issue. Then we step through the production process to identify bottlenecks or vulnerabilities that could slow or stop supply to the customer.
The best tool to use is a process flow diagram when stepping through a BIA. So if we see this in a BCP document it gives some comfort.
Key Components of a BIA:
- Identification of Critical Functions – The BIA identifies essential business processes that must be maintained during a crisis.
- Impact Analysis – It assesses the financial and operational consequences of disruptions, helping organizations prioritize recovery efforts.
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) – These metrics define acceptable downtime and data loss, guiding the development of effective recovery strategies.
- Resource Assessment – The BIA determines the resources, including personnel, technology, and third-party support, needed to maintain operations.
By conducting a thorough BIA, organizations can tailor their BCPs to address vulnerabilities and ensure timely recovery from disruptions.
Developing an Effective Business Continuity Plan
The BIA will identify the critical processes. The BCP then defines detailed steps to implement for each of these critical processes assuming they are interrupted. Importantly, the cause of the interruption is irrelevant. Fire, flood, product recall, it doesn’t matter. The process is not available, how do we continue to supply customers.
The options for managing the interruption will of course depend on the scenario but can include moving production to alternate production facilities or outsourcing to third parties. The insured may need to manage existing stock, for example more critical customers may be prioritised for delivery and others delayed.
Continuity Plans typically have two streams of activity and resources should be allocated accordingly:
- Reinstatement – an appropriate level of resource needs to be applied to rectifying the cause of the interruption and reinstating supply, and
- Continuity – maintaining supply to customers.
Conclusion
A BCP is a document we hope our clients never have to use. A good one will minimise disruption and could actually be a competitive advantage if the crisis affects others in the same industry. We often get asked for a template, and sure there are templates available, but a proper process ensures there is a deep understanding of the interruption vulnerabilities, which will ensure businesses are better prepared to respond.
For more information and enquiries, please contact us.
Recent Comments