A Barbour Guide

Business Continuity
Current Position
Business continuity came into sharp focus for many businesses in the run up to the UK leaving the
European Union in 2020 (Brexit) and the need for changes to working times, delivery methods,
supplier arrangements, trade deals, tax implications and employment arrangements. For those
businesses who used Brexit as a catalyst for drafting or reviewing their business continuity plans it
will have acted as a very tool which they can use in future years to ensure that their business remains
sustainable, robust and flexible enough to adapt in what are for many very challenging economic
times.

The property and facilities manager will have, in Adopting an attitude that ‘it will never happen to us’

most organisations, a key role to play in determining is neither considered good business practice nor a

the business continuity plan for the company. In the reasonable approach considering the global reach

past, business continuity may have been seen simply and impact in today’s modern business environment.

as an IT disaster recovery procedure. However,
Business continuity business continuity is a much broader discipline
is considered and one which the Property and Facilities Manager
to be an holistic needs to gain a good understanding of, if they are
management to help ensure that the business can effectively run
process that and continue during and, in particular, after a major
identifies potential incident or event. The impact of the Boston marathon
impacts on a bombing with the subsequent ‘lock down’ of vast
business and areas of the state would have had an impact on both
builds a framework local and national businesses.
for resilience into
Business continuity is considered to be an holistic
processes and
management process that identifies potential impacts
procedures
on a business and builds a framework for resilience
into processes and procedures. The aim is to have
effective safeguards and responses to protect the
business in the short, medium and long term.
With the phenomena of globalisation, seemingly un-
connected events in faraway places can quite easily
have an impact on a small business trading locally.
An extraordinary example of this is the Coronavirus
which has caused the global disease called Covid-19
in 2020. It is believed that the spread of the virus
started in Wuhan, China from a mammal in an illegal
market place. Its spread world-wide with hundreds of
thousands of cases globally and scores of deaths in
the UK alone within weeks of the virus starting has
caused panic and severe disruption to business. It is
so important that the spread of the virus is stemmed,
that the UK Government has urged companies and
organisations to arrange for people to work from
home wherever possible and in most cases, have
banned work-related travel to other countries.

The UK has faced pandemics in the past, for

Understanding the issues that might affect the
example, SARS which started in 2002 and lasted
ability to deliver goods and services to customers
until 2004. However, businesses today are more
and clients on an ongoing basis is vital to effectively
global in terms of its workers, customers, vendors,
plan for and mitigate against potential interruption or
partners and suppliers, making business continuity
worse.

BUSINESS CONTINUITY 2
 and pandemic plans far more complex to test and side of the world could disrupt the supply chain,

carry out. with either raw materials or finished product not

reaching the businesses’ customers. An ash cloud

In order to prepare for pandemics, organisations
over Northern Europe may mean staff returning from
should create and execute a workplace pandemic
holidays or business trips are delayed. An outbreak
preparedness plan alongside their business conti-
of an epidemic or pandemic might affect a significant
nuity plan. To familiarize employees and emergency
number of staff, or staff working for suppliers or
teams with the plan, businesses should conduct
customers. The impact of terrorism or the threat
exercises frequently and ideally at least annually.
of terrorism is also now a key consideration. The
The plan should take into account working from
loss of a senior or key members of staff could have
home and the ability to communicate with colleagues
a significant negative impact on the business.
and third parties remotely, how key information can
Business continuity is not simply about a strategy for
be accessed (e.g. the ‘cloud’), maintaining security of
backing up data files and how to cope with the loss
information and the increased risk of a cyber-attack.
of the IT platform.
Where remote working is not possible, for example,
Whilst it is recognised that fires, bombs and major
in manufacturing, then robust measures must be put
natural disasters make the headlines, it is often the
in place to prevent the virus spreading amongst the
more mundane events which have a more frequent
workforce. The plan should also include how to get
impact, such as failure of a key supplier, power
back on its feet quickly after the crisis.
interruption, key staff sickness absence or loss of
Because companies are so dependent on providers
internet connectivity.
across all aspects of their business, they should
Considering all of the potential impacts on the busi-
understand its providers’ pandemic plans. For
ness and the response to them will help businesses
instance, if the provider’s own workforce is affected,
develop a strategy and management arrangements
it’s important to know how it will maintain high avail-
which can be tested, reviewed and revised.
ability of its product or respond to service issues. It’s
Importantly, should they need to be invoked; they will
important to recognise that suppliers or contractors in
assist in safeguarding the longevity and sustainability
other countries will be bound by their country’s own
of the business.
specific guidance and this is out of anyone’s control.

It’s also important for organizations to centralize

service-provider relationship information in case the Legal Requirements

managers themselves are unavailable.
Pandemics wreak havoc on supply chains because
they can force factory shutdowns, delay shipments
and create workforce shortages. In February, Apple
announced that the Coronovirus outbreak was
directly affecting its ability to build products and sell
them to consumers in China. Several facilities where
iPhone components are made were shut down, caus-
For some organisations there are statutory duties
for having robust business continuity plans in
place which are periodically tested. This includes
those organisations having duties under the Civil
Contingencies Act 2004 as category 1 and category
2 responders such as:
• county and district councils

ing the company to issue the warning that “worldwide • London borough councils

iPhone supply will be temporarily constrained.”

• local authorities

In summary, in the case of any pandemic, busi-

• NHS hospitals
nesses should be prepared for disruption to worker
• emergency services
productivity, supply chains, travel, product availability,

corporate travel and more. • police service

An earthquake or major civil disturbance on the other • fire and rescue services

BUSINESS CONTINUITY 3
 • environment agency • processes

• transport companies • providers.

• airport operators
People
• harbour authorities
• Which key staff are essential to deliver services to
• utilities providers customers and clients?

• the Health and Safety Executive. • What skills, training and experience do these key

members of staff possess which makes them so

Other sectors, trade bodies, associations and
vital to the company?
enforcing authorities also require arrangements to

be in place for business continuity. This includes • What is the minimum number and spread of staff
those companies regulated by the Financial Conduct that are needed to deliver service to customers
Authority. and clients?

The Management of Health and Safety at Work • Identify members of staff that travel abroad.
Regulations 1999 place various duties on employers
• For staff that travel, what emergency procedures
including the duty to have procedures in place for
are in place?
situations giving rise to serious and imminent danger.

In particular: • Can staff be contacted out-of-hours?

(1) Every employer shall: • Could extra staffing capacity be brought in to

assist during an incident?

(a) establish and where necessary give effect to

appropriate procedures to be followed in the event of • Can staff be trained in other roles?

serious and imminent danger to persons at work in • Could staff work from home if an epidemic or
his undertaking; pandemic prevented people working together as

(b) nominate a sufficient number of competent per- normal?

sons to implement those procedures in so far as they • Can staff undertake non-specialist roles, in the
relate to the evacuation from premises of persons at event of an incident?
Develop a business work in his undertaking; and
continuity plan • What measures could be taken to minimise the
(c) ensure that none of his employees has access to
based on the impact of staff shortages?
any area occupied by him to which it is necessary to
outcome of the • Do any suppliers have key members of staff who
restrict access on grounds of health and safety un-
assessment are critical to the service delivery?
less the employee concerned has received adequate

health and safety instruction.

Property/Premises Requirements

• Which property/premises are critical to deliver

Information services?

• What provision for alternative plant and equip-

Business Impact Assessment
ment are in place?
The first part in the assessment process will be to
• Could the business operate from alternative
identify all of the foreseeable risks which might affect
property/premises?
the business. This is achieved through a methodical

approach to conducting a business impact assess- • Could the business operate from a different

ment looking at four key elements: geographical location?

• people • What are the arrangements for getting key staff to

alternative locations?
• property

BUSINESS CONTINUITY 4
 • What security arrangements are in place for staff
gaining access to alternative locations?
• What are the essential plant and equipment and
what is mission critical?
• For mission critical equipment, what arrange-
ments are in place in the event of an incident/
plant failure?
Processes
• What IT platforms and systems are critical to the
business processes?
• What facilities are available for manual process-
ing of data if IT systems are down?
• What regime is in place for data backups?
• Where is backed up data stored?
• What access is needed to backed up data?
• What is the recovery point objective for data,
i.e. how much data can be lost without serious
business impact?
• What is the recovery time objective for data,
i.e. how soon after an incident is accessing and
processing data required?
• What arrangements are in place for disaster
recovery?
• What documentation is there to support IT plat-
forms and systems, particularly legacy systems
and bespoke software; is it kept off-site?
• What communication systems are in place for
contacting and communicating with staff, suppli-
ers and customers?
• Which processes could be continued by staff
working from home if necessary, for example
during an epidemic or pandemic?
• What plant and equipment forms an essential part
of the business processes?
Providers
• Which suppliers/providers are essential for the
business to function?
• Does the business rely on single suppliers for any
goods, raw materials or services?
BUSINESS CONTINUITY
• Does the business have any reciprocal arrange-
ments in place?
• Can goods, raw materials or services neces-
sary for the business be obtained from other
suppliers?
• Which suppliers/providers deliver key elements of
the services to clients?
• Does the business know what business continuity
and disaster recovery plans its key suppliers/
providers have in place?
• What means of communicating with suppliers/
providers is there in the event of an incident?
• Are there any alternative suppliers/providers?
The Business Continuity Plan
The developed plan should be based on the outcome
of the assessment and include:
• Notification/invocation procedure/protocol.
• Management structure for dealing with an
incident.
• Information and advice to staff (response
procedures).
• Key staff/contact list (including out of hours
details).
• Multi skill training in key areas.
• Arrangements to cover staff shortages.
• Arrangements for staff to work from home, for ex-
ample, in the case of a pandemic (for office-based
staff this would involve computer equipment,
appropriate equipment for an ergonomic set-up,
training in workstation set-up, a comfortable
environment and consideration of the possible
negative effects of working alone and potential
associated work-related stress).
• Loss/damage assessment.
• Relocation arrangements/protocol.
• Inventories of equipment/resources and details of
how to recover these.
• Salvage, site clearance and cleaning
arrangements.
5
 • Details for recovery of key processes. • multi-skill training in key areas

• Copies/backups/safe storage (recovery • inventories of equipment/resources and details of

procedure). how to recover these

• Documented manual procedures. • salvage, site clearance and cleaning

arrangements
• Data recovery procedures.

• details for recovery of key processes

• Contact details for key providers.

• copies/backups/safe storage
• Alternative suppliers.

• arrangements to cover staff short falls

• Third party business continuity arrangements.

• loss/damage assessment
• Communication strategy/plan/procedures.

• site security
• Stakeholder liaison.

• relocation arrangements/protocol
• Media liaison.

• documented manual procedures

• Public information/advice.

• data recovery procedures

It should be regularly reviewed by:

• contact details for key providers

• Running a desktop exercise.

• alternative suppliers
• Holding a full exercise.

• third party business continuity arrangements

• Considering the strengths and weaknesses in the

plan and arrangements. • communication strategy/plan/procedures

• Revising the plan based on the outcomes of • stakeholder liaison

testing/exercising.
• media liaison

• Reviewing and checking the plan against

• public information/advice.
changing business operations, local, national and
Periodically test the plan by:
global events.
Where is backed up
• running a desktop exercise
data stored?
Key Actions • holding a full exercise

Carry out a Business Impact Assessment covering: • reviewing the strengths and weaknesses in the

plan and arrangements

• people
• revising the plan based on the outcomes of
• property/premises
testing/exercising
• processes
• reviewing the plan against changing business
• providers operations, local, national and global events.

• develop a business continuity plan based on The main piece of advice is ‘Do not wait for the
the outcome of the assessment and include: incident/disaster/event to happen. Plan NOW’.
notification/invocation procedure/protocol

• management structure for dealing with an incident

• information and advice to staff

• key staff/contact list (including out-of-hours

details)

BUSINESS CONTINUITY 6
 Case Study auditing was challenging due to the lack of certainty

around a future UK/EU relationship. GIA continually

reviewed the effectiveness of the mitigation meas-

Centrica
ures that were in place as the deadline approached.
Centrica provides energy and services to over 25
The Head of GIA advised other internal audit
million customer accounts mainly in the UK, Ireland
functions to treat Brexit in the same way as any other
and North America through brands including British
external factor creating risk for the organisation. It
Gas, Direct Energy and Bord Gáis Energy.
was important to focus on the specific issues and
The UK’s decision to exit the European Union risks that occur as a result of ongoing uncertainty.
presents a number of risks. She stressed the importance of prioritising and

identifying the consequences for individual organisa-

Shortly after the EU referendum, Centrica estab-
tions, considering contingency plans for those areas
lished an internal Brexit project group to investigate
of greatest impact for a business in the likelihood of
and assess the concerns raised by Brexit which
a worst-case outcome. This is what the Board and
could impact the Group and its customers. The
Audit Committee sought assurance over and valued.
project group was headed by the Corporate Affairs

function. Other departments involved included the

business units dealing with nuclear energy, energy Key Terms

trading, Centrica’s Irish assets, customer facing busi-
Activation (or Invocation): the implementation of
nesses, Group Strategy, HR and the legal, regulatory
business continuity procedures, activities and plans
and compliance teams.
in response to a business continuity emergency,

Scenario Planning event, incident and/or crisis (E/I/C).

Two potential outcomes of the Brexit referendum Battle box: a container - often literally a box or brief

were whether the UK should embark on a hard Brexit case - in which data and information e.g. business

or soft Brexit. Its priority was to continue to deliver continuity plan documentation is stored so as to be

its core operations by delivering the best price for its immediately available to those responding to an

customers and ensuring it can still meet customer incident.

needs if a no-deal Brexit made importing from the Business continuity: the strategic and tactical
EU more difficult and expensive. It considered the capability of the organisation to plan for and respond
practical implications on its operations of all potential to incidents and business disruptions in order to
scenarios. continue business operations at an acceptable

pre-defined level.
Internal Audit View of Risk and
Approach Business continuity management (BCM): holistic

management process that identifies potential threats

The Head of Internal Audit didn’t view Brexit as a
to an organisation and the impacts to business
stand-alone risk, but saw it as a factor that increased
operations that those threats, if realised, might
the probability and/or impact of a range of risks
cause, and which provides a framework for building
arising. This included skills access and its ability to
organisational resilience with the capability for an
trade efficiently with counterparties and continue to
effective response that safeguards the interests of its
serve its customers in the UK and Ireland. The audit
key stakeholders, reputation, brand and value-creat-
function was in balancing these risks in the same
ing activities.
way as any other risk affecting Centrica’s operational

effectiveness. The focus was on ensuring that there Business continuity plan (BCP): documented

were adequate contingency plans in place to respond collection of procedures and information that is

to all eventualities as traditional control mitigation developed, compiled and maintained in readiness for

BUSINESS CONTINUITY 7
 use in an incident to enable an organisation to con-

tinue to deliver its critical activities at an acceptable

pre-defined level.

Business continuity strategy: approach by an or-

ganisation that will ensure its recovery and continuity

in the face of a disaster or other major incident or

business disruption.

Business impact analysis: process of analysing

business functions and the effect that a business

disruption might have upon them.

Cascade system: a system whereby one person

or organisation calls out/contacts others who in turn

initiate further call-outs/contacts as necessary.

A complete glossary of terms is published by the

British Continuity Institute (BCI) and can be accessed

from this link:

https://www.itgovernance.co.uk/files/BCIGlossary.pdf

Further Information
and References
• The Business Continuity Institute is the world’s

leading institute for business continuity.

Established in 1994, the BCI has established itself

as the leading membership and certifying organi-

Business continuity sation for Business Continuity (BC) professionals
strategy: approach worldwide.
by an organisation • Centre for the Protection of the National
that will ensure Infrastructure protects national security by pro-
its recovery and viding protective security advice. Advice covers
continuity in the face physical security, personnel security and cyber
of a disaster or other security/information assurance.
major incident or
• The Civil Contingencies Act 2004 is an Act of
business disruption
Parliament which delivers a single framework for

civil protection in the UK.

• ISO 22301:2019 is an international standard

which specifies the requirements for a business

continuity management system to protect

against, reduce the likelihood of, and ensure that

businesses recover from disruptive incidents.

Date of Review: March 2020

BUSINESS CONTINUITY 8
 Disclaimer
Barbour is a trading division and trading name of

Informa Markets (UK) Limited. It has published this

Guide in order to help the promotion of good practice

amongst knowledgeable and competent specialists

in the subject covered by this Guide. By using this

Guide, the user acknowledges, accepts and agrees

to the following:

Informa Markets (UK) Limited does not give any

condition, warranty or other term, or accept any

duty of care or liability, in connection with the

quality or fitness for purpose of this Guide, or any

loss or damage resulting from reliance on it, and it

excludes all these.

When deciding whether or how to act, the user

should always obtain appropriate professional

advice and should not rely on any information,

advice or recommendation in this Guide, however

it has been expressed. The user is responsible for

obtaining professional advice, and acknowledges

that any defects in this Guide would be detected

by a knowledgeable and competent specialist

providing that advice.

Any use of this Guide by any person is subject

to Informa Markets (UK) Limited’s user terms for

Barbour services, and by using it the user is ac-

cepting those terms, and agreeing to be bound by

them, on behalf of the user and all other persons

for whom the user undertakes any work.

The user waives (and agrees to waive) all claims

for loss or damage which it might otherwise have

against Informa Markets (UK) Limited in connec-

tion with this Guide other than those arising out of

a liability which Informa Markets (UK) Limited has

for personal injury (whether fatal or otherwise)

resulting from negligence.

BUSINESS CONTINUITY 9