What are the key components of a Contingency Plan?

Looking at the various makeshift websites that sell plan generators and templates you would think that you need to spend months of effort documenting every nut and bolt, telephone number and insurance policy.

Ironically, some of the sites even profess to provide a “cheaper and more pragmatic alternative to “expensive consultants”" – clearly these people are ignoring the amount of time that people would spend downloading, trying to fathom and then complete their left-brain tomes of regurgitated disaster recovery and millenium bug bunkum that they carried out in a cardboard box when they got paid off from their IT consultancy in the late 80s.

Busines Continuity and Contingency Plans for SMEs don’t need to be complicated or lengthy but they do need to be simple, mobile, well-understood and current.

For extra points they should also be tested through practices and drills – a minimum being a documented annual fire drill if you have premises.

Veterus Consulting Limited offers a 1-day workshop called “BCMlite” that helps SMEs to put together an outline contingency plan for the majority of likely business disruptions by focusing on outcomes – resulting from the disruption and the response.

This approach avoids the creation of 6ft high lockable cabinets of “shelf-ware” detailing the specific response to everything from a tea-spill to a tornado.

You don’t need specific plans for specific disruptions if you focus on outcomes (OK, I’ll allow you an addendum or 2 if you insist).

In the BCMLite workshops, we work through a simple 5-step process based around our MEDIC approach which identifies the 20% of core activities and actions needed to deliver 80% of the business’s core outputs.

In a nutshell, the MEDIC mnemonic prompts consideration of:

• Manpower (Command & Control, Minimum safe staffing levels)
• Equipment (Fallback modes, RTO, RPO, ASOS)
• Data (Confidentiality, Integrity and Availability)
• Infrastructure (including transport, security and supply chain)
• Communications (internal, external, media)

With such a demand for contingency plans and templates evident across most of the search engines we’ll probably offer a MEDIC template and some guidance for completion so that SMEs can develop a basic plan if they are so inclined but our experience is that most people benefit from a bit of mentoring and support even if it is on the phone.

What we can promise is that our template won’t take weeks to complete so in terms of return on time and money it should be the best option – unless of course you really get off on creating and maintaining lists

If you are interested in learning more, drop us an e mail.  We’re also planning to run some BCMlite workshops in Hampshire, Dorset, West Sussex and Berkshire during the Autumn term.

Who knows, you might even get an outline plan in place before the worst of the swine flu epidemic if you book early!

Do you need a mask?

I was speaking to a supplier of FFP3 masks today and he was telling me how there is a major log jam building with the supply of protective equipment for H1N1 now that the pandemic is spreading and case numbers are increasing.

He was advising that 3M are only supplying the same number of masks to clients as previously ordered before Swine Flu which is limiting supply and that many government and public sector clients are insisting on the 3M branded products – probably because they haven’t looked at the alternatives.

There is also a growing shortage of precursor materials (eg filtration cloth) that have been approved for use in the masks – as you will be aware the masks, manufacturing process and suppliers need to pass various stringent tests to qualify for EN 149:2001 etc – which is also putting pressure on the supply chain.

My contact was telling me about foreign government orders of several hundred thousand with backlogs of 8 weeks and other orders for several million masks in the pipeline.

With the vaccine likely to arrive in small quantities only and after the localised epidemics due to hit UK toward the end of August it is already beginning to look rather late in the day for companies to order personal protective equipment (PPE) for their staff.  Particularly when you then factor in the testing kit and training/testing required before issue.

In light of this, my wife (who is a school nurse) and others are taking independent action to protect themselves and their families in case the virus takes a turn for the worse and people start to die in greater numbers.

We’ll probably buy a couple of boxes of FFP3 masks (15 to a box) for each of the family so that we can continue to attend school and work as well as do the weekly shop and travel on public transport.

One of the kids has had open heart surgery so we need to minimise the chances of them getting the bug – even if it is relatively mild so far.

Drop me a line if you are interested in securing some masks for your company or family and I will try to get you a supply before the end of July 2009.

Meanwhile, the message remains the same: catch it, kill it, bin it and keep washing hands and hard surfaces to minimise the spread of the virus in the home, school and workplace.  Everywhere else – keep you hands in your pockets!

@Veterus

In talking to clients, many feel that the likelihood of them being denied access to their site or key buildings and offices is sufficiently remote that they don’t need to plan for it.

This mindest may also be influenced by early business continuity briefings where practitioners took the lazy scenario option and asked them to consider a terrorist attack.

Whilst a terrorist attack remains feasible (and depending on what business you are in maybe more likely than you know) statistically they are few and far between – albeit devastating when they occur.

The more mundane and higher probability incidents are less sexy but need to be considered.  Mechanical and electrical failures (burst pipes and short circuits), disgruntled employess or vandalism, natural disasters or extreme weather, animal disease, crime and transport disruptions are all affecting business somewhere in the world everyday.

So what’s your strategy if you lose you site and how long could you operate at what capacity from that position?

It’s tempting to plan for a “call the customer and muddle through” approach because that seems the cheapest and simplest option – but what of the impact on your firm’s brand and reputation?  Can you still carry out business development in parallel with “priority services only, run from my dining room table or the local Costa Coffee”?

The bigger your business is the more complex the task becomes and when you are a government department the problems get bigger.  The Lyons Review requires any new lease or freehold contract to have prior approval by the Treasury.  Try fast-tracking that one when the site burns down!

Even if you find a suitable site, the contractual work can take months.

Alternatively, providers like Sunguard, Regus and Community Resilience can put arrangements in place to reduce the delay but then you have to convince shareholders and the board that the overhead is justified.  In a recession that’s akin to asking for more money to upgrade the snowplough during this hot spell when everyone has already forgotten what it was like in February.

The reality is that you need to have identified an alternative location.

To stand any chance of a reasonable transition into your fallback accommodation you need to put the logistics and infrastructure in place then practice using the site if you are going to have a fighting chance of minimising the impact on your business.

So where do you start?

You start by agreeing Recovery Point Objectives and Recovery Time Objectives (how much of the business operating by when), the location (commutable for current staff?, budget and timing.  Until you fix a date by when it must be done the project will drift and consume both time and money whilst your risks go unmitigated.

Even if you only work through the specification and location for a suitable site, please do something.  Don’t risk what has taken years to build for the sake of a few months’ work.

And don’t forget, if you haven’t tested and updated your business continuity plan – it ain’t a plan!