Preparing Scotland: business resilience guidance

3. Having Business Resilience

The Civil Contingencies Act places a duty on Category 1 responders to plan to continue to perform their functions in the event of an emergency ^[12] . This guidance recommends that this is achieved by applying the principles of Integrated Emergency Management ^[13] to develop Business Resilience.

Organisations should develop Business Resilience in a broad and inclusive way. This is because the various parts of an organisation will generally be interdependent and because the effects of some emergencies, and the responses they require, will be difficult to predict. This will also provide opportunities to involve staff in other parts of the organisation who may be involved with related work or have particular expertise to contribute.

So that relatively small disruptions do not develop into larger problems (or secondary effects do not impede the main response), and so that organisations are able to practice their responses, maintain their skills and learn from experience, it is recommended that arrangements encompass smaller disruptions as well as large emergencies.

The resilience of an organisation requires much more than having a plan for responding to a disruption or emergency. A thorough understanding of the organisation and the risks to which it is exposed, an agreed and resourced strategy and a commitment to embed resilience in the organisation's culture through training and learning from exercises and disruptive incidents are also needed.

Developing and maintaining Business Resilience within an organisation is likely to provide opportunities to promote resilience externally. The resilience of an organisation will depend, in part, on the resilience of its supply chain, including sub-contractors and those providing maintenance contracts. These connections will provide occasions to review the resilience of both parties. This principle could be extended to include the staff working in an organisation, where, for example, employers might discuss how they would get to and from work if transport was disrupted. In this way developing resilience may also have consequences for promoting personal, community and Business Resilience.

3.1 Understanding the Organisation

3.1.1 Strategic Aims and Critical Activities

Increasing Business Resilience should begin with a clear understanding of the organisation concerned including its strategic aims, how it is organised and its culture. Where an organisation's aims are expressed in general qualitative terms it will be helpful to convert them to specific key outputs or activities that can be quantified, as this will be needed to prioritise recovery targets and resource requirements at a later stage. However this should not ignore important quality measures and intangibles, such as maintaining the confidence of customers, service users and other stakeholders, or maintaining the value of brands and reputations.

If the organisation has a declared set of aims and objectives, or similar statements, these can be used as a basis for this work. This will be helpful as it is important that all relevant business and service activity that the organisation is engaged in is considered, and that partial assessments are avoided. The key objectives and values of the organisation will be used to identify which processes are the most important to its wellbeing, to justify decisions about what to prioritise if some activities must be halted, and to gain the support of senior management and the resources they control, for building Business Resilience.

Once the organisation's aims are understood, arrangements should be made to identify the critical activities and processes that are needed to deliver these, and the key outputs that embody them. In smaller organisations this may be less difficult as the person developing Business Resilience may already be familiar with the operations of the whole organisation. Larger organisations will need to involve the necessary specialists from different parts of the organisation.

This work will require an understanding of the inputs, infrastructure and processes on which the critical activities depends. These may include:

• Raw materials and consumables - such as clinical instruments and dressings in a health centre or food ingredients in a restaurant
• Infrastructure - such as transport systems, IT networks and utilities
• Machinery and equipment - such as communication or manufacturing equipment, hand tools and computers
• Skilled staff, or those with special authority - such as police officers with specialist roles, social service staff who are trusted by the communities they work with, or engineers with expertise in a particular technology
• Premises - such as specialist manufacturing facilities, office space, secure areas and warehousing
• Knowledge - such as subject matter expertise, legal requirements, knowledge of operating procedures, information about service users and customers

These factors are some of the organisation's dependencies, but it may have many others, both internally and externally, that support its critical activities. These can include suppliers, contractors, competitors, government departments, regulators, trade bodies, public or media perceptions, pressure groups, and others. It is important to identify these at an early stage and to take their influence into account. Involving representatives of relevant stakeholders, where this is practical, will make this process more effective.

3.1.2 Business Impact Analysis

Having identified their critical activities, organisations should determine what the impact would be if these were disrupted or lost. This stage is known as Business Impact Analysis ( BIA). This will provide information to inform later decisions about strategies to develop resilience and will enable the organisation to focus on areas that most threaten the continuity of its priorities.

The potential causes of disruption to an organisation's operations are almost limitless, however the impacts of any disruption are far fewer. For example, loss of critical system(s), denial of access to premises, damage to premises or loss of key staff and key resources can all produce similar disruption regardless of the cause. It is helpful to rate the impact of disruptions upon the critical activities and key outputs of the business in the event of an emergency. This may be done with a simple high, medium, low scale or by scoring them, from 1 to 5. The impact of potential disruptions should be measured with reference to the following (non-exhaustive) list of factors:

• implications for output or service delivery
• financial cost to the organisation
• health, welfare and safety of stakeholders
• statutory duties and legal obligations
• environmental implications
• resources required to remedy the situation
• impact of disruption on partners
• reputation

The Business Impact Analysis should also take into account the time sensitivity of each business function and process, how urgent it is to restore based on the consequences for the organisation, as this will also influence the recovery objectives.

3.1.3 Recovery Objectives

Ideally, after normal activity has been disrupted, it would be restored quickly and fully to the same state, or perhaps even an improved state which takes into account changes in circumstances. Speed of restoration is rarely possible when the disruption is serious or complex, so organisations must decide which parts of their operations must be restored first, to what level of activity and how quickly. The terms 'recovery time objective', 'maximum tolerable outage' and 'recovery point objective' are sometimes given to the target recovery times and the required level of function for a particular activity. These targets will be affected by a combination of high level aims and by practical operational considerations, which will include interdependencies between different activities and the particular circumstances of the disruption.

Some activities, such as saving lives or complying with legislation, will clearly take precedence over other activity but in other circumstances critical tasks may not be immediately obvious and should therefore be highlighted during planning. In addition to setting recovery objectives for activities, the resources necessary to accomplish these should be understood so they too can be identified.

3.1.4 Risk Assessment

Once an organisation has identified its critical activities and conducted a business impact analysis, it should carry out a risk assessment in order to identify and understand events that could disrupt these activities. This should include risks arising both externally and internally. Risk Managers within organisations and multi-agency risk assessment groups in each Regional Resilience Partnership are likely to provide complementary perspectives on risks which can be used to provide a comprehensive risk picture.

The risk assessments carried out and published as Community Risk Registers are discussed in Preparing Scotland Risk & Preparedness Assessment guidance. These will assist organisations to identify major external hazards and threats that could lead to emergencies. Category 1 responders will also have access to other information about external risks that is not available to the general public because of its sensitive nature. These will be important to Category 1 responders who are required to have arrangements both to maintain priority activities and to respond to emergencies.

All organisations will need to interpret information from external sources and apply it to their particular situation. They are likely to have to adjust risk assessments to take account of particular local factors relating to their activities, such as local geography, infrastructure and climate.

Organisations will also need to conduct risk assessments of potential internal events which could be disruptive. Often these will be based on the processes they carry out and the hazards associated with them, for example being dependent on a particular piece of equipment or a single team to provide an output or service. Some risks will combine external and internal features such as a dependency on a single supplier or subcontractor, being a target for crime or disorder, or the unpredictable availability of some resources.

The ' FIRM' Risk Scorecard, which considers Financial, Infrastructure, Reputational and Market Place drivers of risk, which is a feature of Enterprise Risk Management, provides a useful approach to considering a broad range of risks. ^[14] A feature of this is to consider internal and external risks at all levels within each category. Enterprise Risk Management also provides useful ways to identify, analyse and assess risks to provide a deeper understanding of how risks and processes are interconnected, including:

• Hazard and Operability studies ( HAZOP)
• Failure Modes Effects Analysis ( FMEA)
• Political Economic Social Technological Legal Environmental ( PESTLE) analyses
• Inspections and audits
• Flowcharts and dependency analysis

Although the Civil Contingencies Act is concerned with the resilience of organisations faced with emergencies as defined in the Act, organisations will want to consider a wider range of circumstances. This is because the indirect effects of emergencies might still be important and might be similar to disruptions caused by more routine risks.

3.2 Deciding on a Business Resilience Strategy

Having used business impact analysis and risk assessment processes to identify those areas where the organisation is most at risk of disruption, senior staff must decide what approach will be taken to address the situation: what must be done to protect its operations and to allow its aims and objectives to continue to be achieved. This will be the organisation's Business Resilience Strategy.

Several factors will affect this decision, but the most important are likely to be:

• The risk treatment options and the organisation's risk appetite
• the cost of the available options to mitigate risks
• the practical constraints that arise from the operational requirements of the organisation and the nature of the risk

3.2.1 Types of Risk and Risk Treatment

Organisations will be faced with a range of potential risks and consequences. The risk that any potential event poses can be considered as a combination of its impact, how bad the consequences would be if the event occurred, and its likelihood, the probability of the event happening. For simplicity, events can be thought of in four groups which will require different risk treatments (although there will usually be a continuous spectrum of impacts and probabilities, and these will vary over time):

Risks that have a low likelihood and low impact - these may require no specific action and may be dealt with through generic arrangements.

Risks that have high likelihood and low impact - these may be regarded as a normal operational overhead, similar to 'wear and tear'. To some extent they should be expected, but they may still be monitored and managed to reduce likelihood, impact and costs. They should not constitute emergencies.

Risks that have high likelihood and high impact - these will require close attention. Organisations should normally have arrangements to mitigate these risks and to respond to their consequences. Under the Civil Contingencies Act, Category 1 responders have a duty to do so.

Risks that have low likelihood and high impact - these are often the most difficult risks for senior staff to determine a strategy for. Expending effort on risk reduction and response arrangements may seem a poor investment if the event does not occur, but the costs could be very high if it does. Because of the rarity of these events, detailed analysis may not be possible and the willingness of senior staff to 'live with the risk'- their 'risk appetite'- will be a significant factor.

3.2.2 Risk Treatment Options

There are a number of strategies that can be adopted to manage risks. These include:

• do nothing - in some instances senior managers may consider the risk to be acceptable
• mitigate - take steps in advance, to reduce the likelihood of the disruptive event, or to lessen its impact should it occur
• change, transfer or end the process where the risk has been identified - such decisions must be taken with regard to the organisation's key objectives and statutory responsibilities
• insurance - this may provide some financial compensation or support but will not aid the organisation's response and will not meet all losses, which may include its reputation, other non-financial impacts and human consequences
• plan for Business Resilience - combine risk reduction options, a clear understanding of the organisational priorities and an ability to respond effectively to disruptions, so that the loss of critical functions is minimised

The organisation may decide to combine several of these strategies and apply different approaches to different areas. Some activities might be given a high level of protection while others are left to 'take their chance'. The approach may vary according to the characteristics of the asset or process that is being protected. Stock, continuous processes, organisational reputation and personnel, will each need a different approach.

3.2.3 Support of Senior Staff and Resourcing

Business Resilience arrangements are unlikely to be effective without the clear support of senior staff. One of the most important strategic actions will be to demonstrate executive level commitment to developing and maintaining Business Resilience. Part of this will be a decision to resource this work at an appropriate level, so that staff working on resilience are sufficiently senior and their budgets are appropriate to achieve the desired outcomes.

Organisations should determine and provide the resources needed to establish, implement, operate and maintain their resilience arrangements to agreed standards. This should include identifying a person with executive level authority to be accountable for Business Resilience policy and implementation within the organisation.

This should be combined with formal arrangements to sign off plans and other arrangements, and ensuring that resilience priorities feature in:

• job descriptions of senior staff
• departmental aims and objectives
• reviews of work
• standing agendas of senior staff and departmental meetings
• policy statements

Visible leadership such as support at events and through formal and informal communications with other staff can provide further evidence of a real commitment to resilience and contribute to developing a culture where it is taken seriously at all levels.

3.3 Developing Business Resilience

3.3.1 Business Continuity Plans in Context

The ability to respond to and recover from disruptive incidents and emergencies is an essential part of any resilience capability. These parts of Business Resilience may be referred to in varying ways, but here we use the term 'business continuity' plans. A Business Continuity Plan provides the framework upon which an organisation can mobilise its response to a disruptive event or emergency. But a plan, on its own, will be of limited value. For the response to a disruption or emergency to be effective, plans must be combined with the other components of the organisation's response capability, including suitably trained staff, physical resources, information resources, response management structures, authority to act, a clear understanding of the aims and priorities of the organisation, systems for activating and standing down the response, etc.

For some organisations, it will be helpful to include sections on these within the plan, as well as addressing them when building a culture of organisational resilience and when training and exercising. The process of plan development itself is an important route to engage with staff about Business Resilience and to develop the organisational culture which will be necessary when the plan is activated.

Planning is also discussed in Preparing Scotland: Scottish Guidance on Resilience.

3.3.2 Content of the Plan

The Business Continuity Plan should address the following issues (note - this list is not exhaustive and will depend on the context):

• Assessing disruptive incidents, confirm the nature and extent of an incident.
• Safety and welfare of those affected, staff, public, special requirements.
• Invoking the response arrangements, including the plan itself, criteria and authority to deploy staff and the use of other resources.
• Coordination - who has the authority to make which decisions? How will decisions be communicated?
• Objectives - what are the recovery point and recovery time objectives? What are the organisational aims and objectives to be prioritised?
• Solutions - how both the cause and consequence of the disruptive event will be managed; procedures and activities for delivering the response and meeting the recovery objectives.
• Personnel - who is involved in delivering the response, how are they called out; what are their roles and what must they do?
• Maintaining a response for longer periods of time and standing down the response.
• Communications - about the response/other business, with staff, service users/ customers, other stakeholders, the general public; identifying a suitable spokesperson, using informal communications, social media, media advice.
• Record keeping - a method for recording key information about the incident, actions taken and decisions made.

The plan should have regard to the organisation's recovery objectives and, in turn, the key resources which underpin the delivery of its critical functions. They include:

• People - essential personnel to deliver agreed levels of service, of appropriate skill-mix and sufficient number.
• Data - critical information and documents about contracts, operating procedures, clients/service users/customers, staff.
• Facilities - working accommodation, alternative arrangements.
• Communications - information and communications technology requirements.
• Equipment and technology - where it is stored, how it is operated, what resources are needed to operate it, who can use it.
• Supply chain and sub-contractors - who are the suppliers/sub-contractors, what contractual arrangements are in place, how are they contacted, are alternatives available?
• Stakeholder interests - staff, owners, customers/service users, local community, political/legal interests.
• Stock and other physical resources needed to produce outputs or deliver services.

The nature of an emergency may require that some functions must be enhanced, or conversely reduced or suspended. The Business Continuity Plan should consider the operational processes for implementing decisions regarding functions. For example, if a function:

• needs to be enhanced in the event of an emergency, where would the additional resources come from?
• needs to be scaled down, how would the demands on it be managed?
• is withdrawn, how would staff and customers be informed?

3.3.3 Developing the Plan

In developing the plan, consideration should be given to:

• keeping the plan and the arrangements it describes short, simple and user-friendly
• ensuring the assumptions upon which it is founded are realistic and consider the findings of the Business Impact Analysis
• references to other sources of information and supporting documentation - databases, lists of key contacts, resources and suppliers
• what action plans and checklists are required
• ownership of key tasks - these should be reflected in job descriptions
• document management procedures
• effective communication with stakeholders and, where appropriate, the media
• aligning with relevant contingency arrangements both internal and external to the organisation

The structure, content and detail of the Business Continuity Plan will depend on the nature of the organisation and the risk environment in which it operates. In particularly large or complex organisations, it may be necessary to have discrete local or departmental plans which integrate into one high-level plan.

3.3.4 Using the Plan

It is impossible to anticipate all the circumstances of a disruption and to plan for these in detail. Trying to do so will consume resources without necessarily increasing Business Resilience. Plans should be designed for use in a flexible way, allowing for the lead responder's use of judgement to select which elements of the plan to apply and, where necessary, to improvise alternative solutions based on a knowledge of the organisation's strategic objectives.

Implementing the plan will require a combination of generic management skills, to carry out planned responses, and the skills of crisis management. PAS 200:2011, Crisis Management - Guidance and Good Practice, regards a crisis as 'inherently abnormal, unstable and complex' ^[15] and discusses the skills needed to manage such events. This includes management in the context of:

• previously unrecognised risks or situations
• too much, too little, ambiguous or false information
• threats to the norms and values of the organisation (and sometimes to its existence)
• increased pressure magnifying differences in leadership style and culture
• trade-offs and conflicts of interest
• close external scrutiny

Depending on the particular disruption or emergency, different combinations of crisis managementand other skills will be required. When developing plans, and when training and exercising Business Resilience arrangements, organisations should engage with staff who have experience and skills in crisis management, as part of a program to consider both more and less predictable events.

3.4 Reviewing and Maintaining Business Resilience

3.4.1 Managing the Resilience Programme

In order to be effective, resilience arrangements must be regarded as an integral part of an organisation's normal management processes. The commitment of senior managers is crucial in this because:

• decisions about attitudes to risk and service prioritisation can only be taken at the top level
• they have control over resource allocation
• the Chief Executive and senior management team is responsible for ensuring that effective governance arrangements are in place
• they strongly influence the culture of an organisation

Experience has shown that it is helpful to give a member of the senior management team overall responsibility for Business Resilience and/or emergency planning. By being so appointed they will act as the champion for the processes, increase the profile of the disciplines and ensure that decisions are made at the appropriate level. They will also ensure that the programme of work to develop and maintain Business Resilience has sufficient breadth to encompass all those whose skills and knowledge are needed to make it successful.

It is important to gain the support and endorsement of the Chief Executive and senior management team at the end of each stage of the planning cycle. Critically, it should be the responsibility of senior management to provide the formal assurance that arrangements are robust and meet the requirements of corporate governance and the law.

The best approach for programme management will vary by organisation but the programme is most likely to succeed if an overall coordinator is appointed and reports directly to the senior managers responsible for Business Resilience and/or emergency planning. The coordinator(s) should have:

• a good understanding of the critical aspects of the business and its key personnel and dependencies
• an understanding of business continuity, integrated emergency management and related methodologies and awareness of emergency management issues
• an awareness of relationships with other responders and specialists in related fields ^[16]
• good programme management, communication, interpersonal and leadership skills

In addition it should be made clear that Business Resilience and emergency planning and response are part of every manager's routine responsibilities.

For larger organisations, it may be appropriate to consider establishing a team or network of responsible managers, who will be required to dedicate appropriate time to Business Resilience and have this reflected in their job descriptions. The team should be drawn from managers within key divisions and/or locations within the organisation. It should contain the right mix of skills and experience and comprise of individuals with the authority to make decisions and commit resources.

3.4.2 Reviewing and Updating Business Resilience Arrangements

Business Resilience arrangements, including business continuity plans, should be reviewed regularly as circumstances change:

• as part of any significant change to operational arrangements to ensure that plans remain appropriate, e.g. when there are changes to equipment, buildings, processes, suppliers, etc.
• when the organisation's strategic objectives, risk treatments, or the role of a particular department is changed
• following resilience exercises, activation of plans or 'near miss' events, to incorporate lessons that have been identified
• to ensure they remain current and can respond to changes to risk assessments
• when new risks or response options are identified

3.4.3 Management Sign-off and Review

The managers with overall responsibility should ensure that there is a process in place to monitor and review the effectiveness of Business Resilience arrangements. Senior managers should consider the appropriateness of the Business Resilience policy, objectives and scope, and should approve these. They should also determine whether work on Business Resilience is being carried out in a satisfactory way and whether it meets the objectives they have agreed. When they are satisfied that the required quality has been met, the appropriate senior managers should sign off these documents.

The Business Resilience arrangements should be fully documented to enable management review and internal audit. This will include:

• the Business Resilience strategy and the scope and objectives of the Business Resilience programme
• critical activities and key outputs of the organisation
• Business Impact Analyses
• Risk Assessments
• Recovery Point Objectives
• Business Continuity and Incident Management Plans
• Incident Response Structure
• Training schedule

There should be appropriate document control arrangements for these items to ensure that relevant versions of applicable documents are available at points of use and revisions have been incorporated.

3.4.4 Exercising Business Resilience Arrangements

Arrangements should be put in place to exercise business continuity plans to ensure they remain effective. Exercising is discussed more fully in Preparing Scotland: Scottish Exercise Guidance ^[17] but the following points should be considered.

When developing an exercise programme, Category 1 responders will need to consider:

• risks, impacts and capabilities to be examined and the appropriate scope for exercises
• types of exercises to be used e.g. tabletop, live-play, single or multi-agency and at what level
• the involvement of senior management in developing, executing and quality-assuring the programme
• the process for delivering exercises, including resources and expertise for planning and release of staff for participation
• the relationship between the Business Resilience exercise programme and the exercising of emergency plans
• how lessons will be identified and used to improve resilience arrangements, e.g. through debriefing and the production of exercise reports

While there is an extensive number of scenarios and possible responses, the list of impacts and capabilities is limited. Generic issues to address will include:

• denial of access or damage to facilities
• loss of key staff/skills
• loss of critical systems
• loss of key resources
• mobilisation (invoking the plan and assembling key players)
• coordination of the response and decision making
• communications (both internal and external with a range of stakeholders and the media)

3.5 Embedding Business Resilience in the Organisational Culture

Having robust Business Resilience arrangements requires an ongoing engagement with staff, both to promote the concept of resilience (ensuring that skills and understanding are maintained) and to draw on their expertise to improve plans and responses. Promoting Business Resilience is therefore an important part of having Business Resilience, even within an organisation.

Risk management specialists have developed Risk Architectures ^[18] and management systems which can contribute to the development of Business Resilience. These include working with existing governance arrangements and identifying the responsibilities of different internal stakeholders, in order to embed methodologies in the organisational culture, e.g. identifying risk management responsibilities for:

• the CEO/Board
• the business unit manager
• individual employees
• the risk manager (and specialist risk management functions)
• internal audit manager

Organisations with arrangements of this type will be able to draw on them to help in the development of a culture of Business Resilience.

Promoting Business Resilience is discussed more fully in section 4.