With the Civil Contingencies Act requiring public sector organisations to have robust business continuity management in place to ensure they can continue to provide key services in an emergency, failure to do so can have serious repercussions.
However, while BCM is common in the public sector, as budgets are squeezed, resources lost and new ways of working introduced, it can be difficult to know whether plans are fit for purpose.
Figures from the Chartered Management Institute's BCM Survey 2013 highlight the shortfalls. While this surveys both the private and public sectors, it found that less than two-thirds of organisations had BCM in place, with only 61% exercising their plans. In addition, 69% of those with plans had been asked to provide evidence of their BCM capability with this figure rising to 85% in the public sector.
Having robust BCM in place has many benefits. As well as the reassurance that organisations are meeting duties under the CCA and that, whatever crisis hits, the firm is resilient and will be able to respond appropriately, it can have financial benefits too.
A fast, well-coordinated response is likely to result in fewer losses. As an example, if a local authority is able to respond quickly to a flood warning from the Environment Agency, it will be able to put defences in place to protect its properties as well as those of its citizens, minimising damage and reducing the risk of interruption to its services.
Robust BCM can also bring down the cost of insurance. Insurers recognise the benefits of good BCM as - by getting workarounds in place more quickly - recovery times and the size of any business interruption claims are reduced. To reflect this, some insurers will offer a reduction in their premiums or, if it is not in place, provide a contribution towards the cost of implementing BCM. Some take a different line and might insist BCM is in place before they will even consider providing cover.
There are also reputational benefits to having robust BCM in place. When any organisation fails to deliver services, it can quickly come under attack in the media and among politicians.
A recent example of this occurred in Scotland, where a large health board had to postpone more than 500 appointments over the course of three days due to an IT outage. Although the health board made an unreserved apology, the issue lead to Scotland's Health Secretary Alex Neil highlighting the problem and calling for an independent review of all IT systems across the NHS in Scotland.
Knowing the legal position can help to clarify responsibilities. While the CCA introduced the legal obligation in 2004, the requirements were further outlined in the CCA Enhancement Programme 2012. This states that Category 1 responders, which include the emergency services, local authorities and NHS bodies, are subject to the full set of civil protection duties.
As such, they are required to assess the risk of emergencies occurring and use this to inform contingency planning, putting plans and business continuity management arrangements in place. The act also requires public sector organisations to share the information with the public where relevant, but also with other local responders to ensure a co-ordinated response in the event of an emergency.
The CCA Enhancement Programme 2012 also states that business continuity plans must include arrangements for exercises to ensure that plans are effective and for the provision of training to everyone involved in implementing the plan. Plans must also be reviewed and kept up to date.
However, while the CCA Enhancement Programme 2012 sets out a good framework for public sector organisations, it can still leave uncertainty about the scope of the plans required to meet the legal obligations. Best practice is available, and the Enhancement Programme flagged up the British Standard for Business Continuity, BS25999, as providing a generic framework that is applicable across public, private and voluntary sectors.
This has subsequently been superseded by two International Standards - BS ISO 22301 and BS ISO 22313. The first sets out the requirements for setting up and running a business continuity management system with the second providing additional guidance. It is also important to note that the International Standards are not a direct replacement for BS25999, as they relate to the management system rather than the BCM process itself.
For broader guidance, organisations can also look to the 2013 Business Continuity Institute Good Practice Guidelines, which reference BS ISO 22301 and provide guidance and support on how to implement and manage business continuity.
But while these provide valuable codes of practice for BCM, few public sector organisations have either the time or resources to implement them and achieve compliance.
One solution could be to look outside of organisations for this expertise. Outsourcing has become increasingly common in the public sector, especially as a result of the austerity measures, and it can be an efficient and cost effective way to provide services. It can also apply to functions such as assessing whether BCM meets the requirements stipulated under the CCA.
As an example, Aon has developed a Business Continuity Maturity Review. This is a comprehensive gap analysis that measures an organisation's BCM system against a wide range of UK and International standards and guidelines to assess its maturity and identify any weaknesses.
The process is straightforward but rigorous with the organisation providing information and completing a survey that looks at all aspects of their services. This data is then analysed to produce a detailed report containing scores, benchmarks, observations and recommendations.
As well as providing valuable insight into how an organisation's BCM measures up - and where improvements should be targeted - as it can be carried out on a regular basis it enables progress to be measured as part of the organisation's cycle of continuous improvement. A regular review will also take into account any changes within an organisation, for example if it has switched suppliers or outsourced any of its key functions.
Importantly too, having an independent review of BCM is a low cost way to gain the reassurance that an organisation is resilient and meeting its legal responsibilities under the CCA.
Nigel Cooper is public sector practice leader and Hugh Leighton is senior consultant at Aon Risk Solutions.
This is part of a Post In Focus on the Public sector - look out for more articles tomorrow.
- SSP users experiencing further difficulties following last week's disruption
- Sedgwick UK shakes up leadership team after Cunningham Lindsey merger
- Konsileo to offer 'bespoke' customer data for underwriting
- This week: Proceedings and premiums
- Campaigners call for ONS to collate motor data for policymakers
- AIG moves European business to new UK and Luxembourg units
- My other life: Mark Murray, Allianz Insurance, Countdown champion