Business Continuity and why it’s more important than ever

Lets mention this here and then move on – the global pandemic. Covid-19 has tested every one of us.

From an IT stance to deploy remote working in a matter of days or weeks rather than the months or years that were aligned for such projects; and our staff, many who have had to adjust to a new ‘remote’ way of working, which we know, now adds an additional layer of requirements around business continuity and disaster recovery in the event of an issue. This blog seeks to explore the dynamic shift in business continuity in today’s unprecedented times and what to explore as we come out of the pandemic and adjust to our ‘new-normal’, whatever that may be. Social distancing; working from home; no onsite meetings and nations borders, opening and closing with a moment’s notice.


Approaching Business Continuity

Many of you will have highly diverse teams, spanning different offices, regions, countries, languages, internet connectivity challenges and more. However, what should be the common factor here, irrespective of your organisation type, is that you have a proper ‘Business Continuity Plan’ (BCP), with an aligned team, to support and mobilise at any point where a crisis demands it. A squad of BCP champions, responsible for assessing each situation and then providing the relevant support.

But business continuity is so much more than ‘a squad’ and looking to international standards, like ISO22301, the requirement for an effective BCP, in line with a robust Cyber Security Policy and a Disaster Recovery Policy are paramount to your success.

What should ‘now’ look like?

Your people’s welfare and how you protect them and your assets as we continue to work remotely in line with Government advice, or with a mix of remote working, with some returning to office working or the offices of customers, should be a key priority.

Your business continuity plan may have been updated since it’s iteration before the global pandemic struck – if not, then this is absolutely your priority.

If you revisited and revised your BCP, great – but now, more than ever before, reviewing it at your agreed revision schedule will not be effective. You should be continually reviewing and adapting your plans as lockdown eases but is subject to any local or regional restrictions – so as one area opens, another may still be or going into a second phase of lockdown. For those people returning, whose essential work for your organisation will be significantly benefitted from being delivered from your organisational office or those who are finding working from home difficult – you need to ensure that you have in place, every measure to protect your people and customers not just from Covid-19 risks, but also those everyday one’s we were protecting ourselves from before – Health and Safety; Environmental; Cyber Security; Data Governance and more.

Five Key areas to consider right now

Alongside your organisational BCP, these should be, under the guidance of your BCP Board, operations to ensure that BCP for Covid-19 are reviewed, monitored and communicated across these five key areas:

  1. Protecting your people

All your people should be following the Government’s advice to work from home where possible and are proficient at using your chosen virtual conferencing solutions to engage with other staff members, customers, suppliers and the like. Your local office will have BCP plans around people working safely from the office, in line with Government guidance on social distancing, and how you safely monitor those staff members for ‘track and trace’ in the event of an infection. Undertake risk assessments of the current working environments and consult your people – it is important that your staff are included to gain their confidence and trust about coming back to the office; align to and follow further guidance from the Government’s and Public Health organisations in your region.

Group fo office workers braindtorming around a pc

Close up of somebody using a laptop

  1. Ensure continuity for your clients

Equip your staff with the right tools to undertake their work effectively and securely (see our blog about secure working tips – it’s worth remembering that with the advent of IoT, many people have little, insufficient or no cyber security in their home of IoT devices). Embrace and support your users to understand digital inclusion – collaboration through video conference calls; instant messaging technologies and how to work effectively together across multiple platforms. Ensure that you have robust polices in place that support secure remote working so that data integrity and confidentiality is always maintained. Use secure VPN technology irrespective of your device – PC, laptop, tablet, phones and while face to face meetings are not advised just now, embrace technology and digital services to ensure continuity of service with colleagues and customers.

  1. Announce your preparedness for business

You should have already mobilised your Pandemic Response Team, who should also be a sub-set of your senior leadership team and your Incident Management Response Team. Have within your BCP’s either a section (or a distinctly separate document) for following infectious disease and Pandemic Management Response Plan. Undertake full risk assessments for each working environment and support the on-going, changing development of your BCP.

Group of business people discussing somthing around a table

Close up of somebody using a laptop

  1. Communicate to your ‘network’

You may work with a single customer, multiple, or service citizens across the UK and beyond, so it’s vital that you have within your BCP, a ‘communication plan’ that works across your network of staff, customers and citizens. This ensures a standardised BCP and Incident plan (including that pandemic response plan) and how, when and with whom to communication in the event of invocation.

  1. Supply Chain Continuity

It is also important to maintain clear communication with your supply chain – those partners with whom you have contractual obligations or managed service deliverables to ensure that their plans also align to yours and where agreements are mutual, plans are in place to ensure continuity of the supply chain. Part of this plan should also include an appropriate inventory of all maintained or outsourced core technology and other services, such as utilities, essential to maintaining your operations.

Close up of a person using a tablet device with a data overlay

Aligning to ISO22301 – Business Continuity

If there was ever a time for organisations to look to international standards, such as ISO27001 (information security); ISO31000 (risk management) and ISO22301 (Business continuity) it is now – as we are still in the midst of the global pandemic, with winter around the corner and still the uncertainty of the next wave’s impact.

The need for organisations to implement a management system capable of ensuring business continuity has arisen in the light of Covid-19. Where some organisations had BC plans written in 2015, or where none really existing outside of the IT departments team, or where is was in Fred’s head.

This BCP is also not just about the health and safety issues but must apply to the whole organisation. While safety is an important facet, it is merely one piece as, in the current climate, organisations are mainly in crisis because they have had to suddenly adopt a new method of working. New processes and application shifts where security protocols are new, untested, and patterns of work, access controls and the advent of home working alongside staff home Internet of Things (IoT) are not robust.  These are added on top of the already suffered crisis of business interruption, caused by severe economic changes which threaten survival of many businesses, jobs, clients etc.

ISO22301 gives you a framework on which to address your business continuity requirements – we’re not saying here that you need to go out and certify, but by using the controls within this internationally accepted standard, you can, align with assurance to its controls.

This would allow you to build or mature a Business Continuity Management System (BCMS), to make your organisation resilient to disruptive events with planning and controls in place in the event of a further lock-down; addressing consequences of resource issues; consequences of breaches of contract for deliverables and service(s); handling any issues from legal and regulatory issues and, handing any other organisational inefficiencies that may arise, through adverse and/or uncontrollable events.

Mapped alongside the ISO22301 standard, are a range of other supporting guidelines released during the Covid-19 pandemic, here’s just a few that may be useful to your organisation – as they offer guidelines and practical advice for businesses and individuals, to navigate challenges and potential risks associated with the current global pandemic.

Continuity and Resilience:
PD CEN/TS 17091:2018 Crisis management:  Building a strategic capability
BS EN ISO22301:2019 Business Continuity Management Systems – Requirements
BS EN ISO22313:2020 Business Continuity Management Systems – Guidance on the use of ISO22301
ISO/TS 22318:2015 Guidelines for supply chain continuity
ISO 22316:2017 Organisational resilience – Principles and attributes
Community Resilience (Volunteers, vulnerable persons)
BS ISO 22319:2017 Community resilience – Guidelines for planning the involvement of spontaneous volunteers
BS ISO22330:2018 Guidelines for people aspects of business continuity
BS ISO22395:2018 Community resilience – Guidelines for supporting vulnerable persons in an emergency
Risk Management
BS ISO 31000:2018 Risk Management – Guidelines
BS 31100:2011 Risk Management – Code of practice and guidance for the implementation of ISO31000
Emergency Management
BS ISO 22320:2018 Emergency Management – Guidelines for incident management


So, what’s next for Business Continuity Post Covid-19?

I wish I knew – I wish I had the magic bullet that addresses this question – but I don’t!

We’re still in the grips of this global pandemic; we don’t know what’s around the corner until a vaccine is sourced but what we do know, is that there is an unprecedented rise in ransomware and cyber crime since we went into lockdown.  Attacks are now targeted, and nation state attacks are coming to the fore, seeking to gain the IP to be the leading country to ‘release’ the vaccine, which will undoubtedly swell their financial coffers.

What I can say, is that how we operated pre-March 2020 is gone – we now operate in a completely different way. Digitisation has taken a leap and with it, the leap in cyber attacks; phishing scams; data breaches and other threat vectors. Digital transformation will become the new-normal – virtual meetings; virtual house viewings for tenants and online services via secure citizen portals.

Whatever your organisation chooses, we recommend that you check over what you have (or need) and get your BCP in order. During this unprecedented time, conventional high impact risks will remain, and their effects amplified – this leaves you with less time, less resource to recover, so there’s no room for error.  However, because of this, you can expect your stakeholders, senior management, regulators and customers who are on this same journey with you, to be more risk-aware and more risk-averse. Expect more stringent checks on your organisation including your strategies around business continuity and your plans.

You may already have a strong BCP – but please don’t rest on your laurels just yet.  Review what you have and address your existing BCP with these five considerations:

  1. Consolidate on what you’ve learnt as a team over these last few months

How did you handle the onset and development of Covid-19. Critically review your decisions made – would you make the same conclusions again, knowing what you now know? What improvements can you make to your BCP?

  1. Discipline – your one true friend!

BC planning, is by many, still considered to be a tick-box exercise. The production of documents, generally created to satisfy auditors, regulators and customers – once produced, remain static or the very least, are updated with a new version number and a box completed to say, reviewed within the 12-month period. STOP!! Embrace the discipline of continual reviews of your BCP. By not doing so, it simply misleads stakeholders that the plans will work – and when they don’t at the point of invocation, cost you time, effort, resource and money.

  1. Define and update your response

No one wants to be the one to communicate bad news in the event of an issue. By having prepared responses, again, that are reviewed regularly, means that with a Communications Plan, at the correct part of invocation of your BCP, takes the pressure off you. Review the response and adapt them as needed. Sending the wrong communication at a time of heightened panic or a staff member, believing that they are doing the right thing by relaying the wrong information can have a significant impact on your organisation both during and after the event.

  1. Review the Risks

Every organisation has changed over these past few months, and your defences will have changed too. Buildings remain empty, or sparsely occupied as you dip your toes into ‘getting back to the office’; staff remain worried about returning to work and ‘home’ is the new office for many. However, it is imperative that you review your risk profile and risk registers again – review your risk appetite’s for what was once tolerated, may now need to be treated, transferred or terminated.

  1. Manage your Supply Chain

All too often, we’re focussed on ourselves and our people, but the relationships with our partners, suppliers and managed services is important. How have they addressed business continuity and disaster recovery and what are their identified risks in this new world? You may wish to consider requesting these as you review your revised risk strategies – have they amended their contractual obligations or your requirements?

Talk to us today

If you would like support around any aspect of your business continuity or any other element of your organisations risk and compliance or security strategy, please contact the Phoenix Risk and Compliance Team on 01904 562200, or email