Six steps to build an effective business continuity plan
A business continuity plan (BCP) is a comprehensive plan with contingencies for business processes, assets, human resources, and business partners in case of an emergency. It defines steps that can be taken to re-establish productivity, secure key assets, and continue operations despite the disruptions.
BCPs are a necessary tool in ensuring your business preparedness. They build confidence, cultivate resilience, and provide valuable business data to safeguard the business during challenging times. For your accounting practice, they can help you continue providing services even during a time crunch (such as tax season), as well as maintain client-facing operations.
Here’s how you can start building a BCP for your accounting practice if you don’t have one yet.
Establishing an effective business continuity plan
A good BCP is one that’s effective in addressing the situation it’s designed for.
A BCP for a cyberattack, for example, should be able to secure your digital infrastructure and protect sensitive data without having to pay the requested ransom. A BCP for a health pandemic should ensure your employees’ safety while also keeping productivity stable.
One thing to keep in mind is to avoid making a BCP more complicated than it has to be. What matters is that it actually functions.
Why are BCPs important? Threats to businesses are, on the whole, increasing. 57% of organisations say it now takes longer than before to resolve cyber incidents. In Singapore, businesses lose US$1 billion a year to unplanned downtime — not to mention revenue and productivity loss, as well as delays in product development.
Risk management is especially important for any business, including accounting firms. A single catastrophe can destroy infrastructure or debilitate your team, leaving you unable to recover.
Disasters can be hard to predict. Many things can go wrong, and impromptu catastrophe management is difficult because you may miss important details. So when developing a BCP, it’s good to follow a guide to ensure you’ve covered all your bases.
One simple guide is the 5W1H format answering the questions: Why, Who, What, When, Where, and How.
1. Explain why the plan exists and what the objectives are
Anyone reading your BCP should be able to quickly grasp why it is being carried out. Explain that BCP is a risk management strategy in the face of an issue or crisis. Why is the plan necessary, and what is it designed to accomplish? A plan that fails to clearly outline the ideal results cannot guide you to safety.
Make sure that everyone in your practice also understands why steps are being taken. This helps you act swiftly and avoid staff resistance due to misunderstandings. For instance, Alan Chang, the Managing Director of OA International Holdings, has implemented workforce segregation amid the recent health pandemic. This is for the safety of his staff and their families. He shares, “We focus on buy-in from all the employees. The staff understand that it is for their personal safety and wellbeing”.
On the other hand, failing to convey the objective of your BCP clearly to all employees can lead to stunted, laggy implementation or objections from team members.
2. Determine who will enact the plan, and who will be affected
A plan cannot be carried out successfully if you don’t know who is in charge. When planning a BCP, you should also identify key departments and people who will be responsible for each step. Nominate a champion or champions who can lead the way for other employees.
Keep in mind that some issues or crises may result in leadership falling ill or becoming unavailable. That means every BCP should have a plan for the continuity of leadership in the absence of key decision-makers and managers. The team should know their responsibilities and understand which decisions are theirs to make.
Analyse your practice to determine the critical functions that you need to protect in the case of an emergency. Then, define who can carry out those functions — your essential employees or team members who must be prioritised.
OA’s plan to keep employees safe amid incidents involves assigning people to specific tasks. One staff member may be placed in charge of closing accounts at the end of each day in the case that leaders are not available; another may be in charge of writing daily updates and tracking progress.
OA is also clear when it comes to determining which employees will be prioritised in carrying out the plan. For the recent enforcement of BCP, Chang shares that “staff who need additional support are provided with flexible or remote working options”.
Clients might also be affected, so it’s important to keep them in mind when crafting your BCP.
3. Explain what steps your accounting practice needs to take
This aspect of your BCP should address what needs to be done to mitigate risks. Essentially, these are the steps that you will follow when disaster or crisis hits.
A BCP has to be tailored to each firm’s needs based on the services they offer, their business/team model, company size, and more. In your accounting firm, you may have staff already working at the clients’ premises, conducting audit services. This means this part of your workforce is already segregated. You can then put in place split team arrangements for the rest of your team based on their roles. Staff in non-client-facing roles can be asked to work from home.
Working remotely is a key part of OA’s BCP in the event of disasters and crises. Chang shares, “In terms of business continuity practices, each department is divided into two teams. One team works from the office, and the other team works from the client’s place or home.”
Different steps will have to be taken in suspected vs. confirmed cases of an emergency. To protect employees who are coming in to work during this period, Chang introduced additional precautionary measures, such as stricter sanitation and hygiene standards. You may also introduce travel restrictions and provide other means of support for staff, such as ensuring they have the right tools and technology to maintain productivity while working remotely.
4. Discuss the timeline of your business continuity plan
Every BCP should include a timeframe. It’s like fighting a fire. You need to deal with the emergency as quickly and efficiently as possible to reduce your losses and minimise damage.
This includes a timeframe for evaluating the success of the BCP after the incident has passed, and for re-establishing your normal routine.
In the case of a health emergency, you can rely on the national DORSCON level as a reference. The ‘Disease Outbreak Response System Condition’ (DORSCON) is a colour-coded framework that shows the current disease situation. This lets you know what needs to be done to reduce the impact of outbreaks. The DORSCON level, which indicates the severity of a crisis, will also help you decide how long you need to implement your BCP. It also informs you on when you can begin transitioning back to your regular routine.
5. Consider the physical premises that will be affected, and identify back-ups
Businesses today must consider their digital assets and ‘locations’ in addition to their physical offices. This includes identifying where the weakest links are — entry points that could introduce risk.
For example, in the event of a health pandemic, physical proximity and person-to-person contact need to be reduced or, if possible, avoided to prevent a single sick employee from infecting the entire office.
In the case of a health emergency, companies might shut down physical offices that are within the radius of the pandemic. Instead, they could request that employees come to work virtually. Ideally, companies should already be using cloud tools and a virtual communications platform to ensure that employees can flexibly and smoothly transition from offline to online processes.
During a cybersecurity breach, on the other hand, the weakest link might be a physical room on a server, or an end-user’s e-mail. Consider these things: Where are your sensitive documents kept? Where is the user information stored?
You should identify the most important virtual locations long before the actual catastrophe happens, so that in the case of a breach, all you need to do is follow the process.
6. Address how you will implement the plan
Addressing the how of your BCP involves defining the tools you will use to carry out each step of the process. It also includes estimating the financial and HR costs and means to successfully complete the plan. Consider your firm’s technology infrastructure and access to sensitive data. Does your accounting software allow you to both enable and restrict remote access for specific users?
As many modern accounting processes rely on the cloud, it’s also important to think about data backups, how they will be maintained, who can access them.
Consider how you can continue communicating with your clients and share documents with them. It’s important to assure clients that their financial data remains private and secure even when your team becomes distributed geographically.
For example, during the current health pandemic, Chang immediately implemented business continuity practices to reduce the number of employees going to work in the office. Their remote work is made possible with the help of cloud accounting software and online communication platforms that facilitate seamless real-time collaboration.
“We use Xero to keep our finances running, and we are also using Zave for corporate secretarial work, and Singtax and Caseware for audits,” he says. “The office can access the server remotely via VPN so all documents are shared and stored in the server”.
All of OA’s departments are on software or cloud tools, so there were no issues with assigning teams to work in the office or at home.
The same goes for their clients. Chang shared that clients wishing to avoid face-to-face meetings would grant them access to documents stored in the cloud. Any correspondence would take place via email, phone calls, and messaging platforms like WhatsApp.
Communication is another thing you need to define. After all, no matter how good a BCP is, it won’t work if communication fails.
“OA requires staff working from home to report on their daily work and fill out timesheets. This provides updates on projects’ progress as well as determine where they can help each other out. The management also needs to express support for team members,” says Chang.
Always be prepared
Chang has three tips for accounting practices to weather unexpected events.
Firstly, have a work-life programme in place. This will not only increase staff morale and retention, but also prepare you for situations which demand mass work from home arrangements.
For instance, OA’s work-life programme includes days for remote working. This ensures that the employees are ready to work from home, as needed.
Secondly, adopt cloud-based technology, such as software and storage.
And lastly, if you’re concerned about keeping your personal phone number private, divert your office line to your handphone. The point is to be contactable by your team and clients alike.
These may sound quite specific, but that’s the point — to be prepared for different scenarios. You can do this with a BCP, and as a result, keep both your team and your clients satisfied when crisis strikes.
The post Six steps to build an effective business continuity plan appeared first on Xero Blog.
Source: Xero Blog