The importance of a robust business continuity plan
Over the last year, firms have had to quickly adapt to be able to keep delivering accountancy services to clients. This has been a smoother process for some than for others. For example, did your phone system continue as normal, or did you have to stop accepting inbound calls?
Back to the very start of the current pandemic, during which, regrettably, not every firm has been able to offer the same level of service as normal, qualitative research by ICAS found that business continuity and the ability of staff to work from home were seen as emerging issues of critical importance. Although the nature of events forced us to work from home, during these unprecedented times our expectation on the standard of service we receive has probably slipped too. As restrictions begin to ease, maybe now is a good time to reflect on where your firm can become more resilient to ensure business continuity no matter the challenges you face.
Even if it’s not something as disruptive as coronavirus, natural or human-made disasters come in all forms, from a power outage or hurricane to plain old human error. Here are some of the main areas to consider when planning for your firm’s business continuity.
Staff are a critical resource to your business and their welfare is paramount. With 85% of those surveyed by Lugo seeing themselves and their colleagues working from home more going forward, you may have to rethink work practices. Look at who can work from home, who needs to be in the office and who is client facing.
To ensure continuity of client service, have more than one person able to do certain tasks, and avoid ‘key man dependency’. With the risk of contracting coronavirus still high, people suffering from long COVID or even those having side-effects from the vaccine, plans need to be in place when staff members fall ill.
In the real world, great technology and technical capabilities may still not make for a great response if the right people, with appropriate skills are not in place. Human error is one of the highest risks to business continuity. Continual training and support enables employees to be confident they are acting in line with company policies and procedures.
Your business continuity plan will refer to policies, plans of action and methods for informing staff and clients. When surveyed, 75% of firms said they have a communication plan in place if they got breached.
Build a detailed emergency process with predetermined actions for communication and coordination, designated roles for employees, and emergency action plans that involve staff, clients and suppliers.
It’s good practice to build a business continuity team who are all aware of your:
- Disaster Recovery Plan, which we look at in more detail below
- Incident Response Plan, including communicating with clients
- Crisis Management Plan, how you respond to a critical situation
A well planned and executed response will help to minimise the damage caused by an incident or disaster. This could mean anything from cutting the amount of data lost, to minimising public fall out or lost clients.
You should work with your legal advisor to understand what it will mean if, for example, you can’t supply services to clients, as you may have to put an additional section in your terms of engagement. If you can’t meet your obligations, a clear understanding of your contractual terms will allow you to plan and prioritise your response.
It's worth noting that preparation and mitigation for data breaches are both explicitly required by the ICO, as part of your GDPR-related measures. They state that you should, ‘Have well-defined and tested incident management processes in place in case of personal data breaches.’
The pandemic may have challenged your IT to adapt and change the way you functioned in response to circumstances beyond your control. Over half (55%) of surveyed accountants said their IT strategy has changed since the impact of COVID-19, according to Lugo’s research. We probably all wish we’d bought some shares in Zoom a few years ago!
To ensure business continuity, it’s important to choose an IT support provider who has worked with and understands your industry.
Businesses in every industry have been put under pressure to switch from more traditional business models to digital-friendly ones running in the cloud. It’s important not to rush IT strategy decisions, but to be able to have informed discussions about when and how to move to the cloud, at a time that’s right for you.
Data Backup, Cyber Threats and Disaster Recovery
Lugo’s research found 90% of firms surveyed do have a disaster recovery plan in place. Some key considerations are:
- Who’s responsible?
- What’s backed up?
- How quickly can you get back up and running?
As the UK – hopefully now - emerges from the COVID-19 pandemic, organisations might also consider what more they can do to manage cyber security risks in a ‘blended’ working environment.
According to the UK Government’s Cyber Security Breaches Survey 2021, three in ten businesses (31%) have a business continuity plan that covers cyber security.
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has a Cyber security Framework. They identify the five key pillars of a successful and wholistic cyber security program, being: Identify, Protect, Detect, Respond, Recover. This is a good place to start to decide where and how to focus your efforts.
If you have a robust, well tested, system in place and you can get all your vital business data from backup quickly, you can’t be blackmailed by a ransomware attack.
One of your systems with the highest impact is payroll; when people don’t get paid, there is no place to hide! That’s why payroll processing continuity is so important.
When Lugo asked, in terms of particularly your Payroll Bureau, what continuity do you have in place, accountants’ responses were varied. They included external backups, off-site data replication, running payroll from home, BACS being cloud based and a virtual server in Microsoft Azure. Some, worryingly, didn't have any continuity in place.
When considering desktop payroll software, it’s fundamental to have a clear process in place to ensure payroll continuity. Remediate the weak links and document the steps you would take, keeping security front and centre. Ask yourself, how long can you afford to be down for, and work back from there. If your payroll data is continually replicated to the cloud or another device, in a worst-case scenario, you could re-install the payroll program on a different device and get it back up and running, for at least one person, in a matter of a few hours.
You can use cloud technology to help achieve business continuity. There are some SaaS (software as a service) payroll offerings allowing you to process from wherever you have an internet connection. Some organisations go as far as to keep copies of all SaaS data locally, in case of any access issues. Do you know how to extract a copy of your data stored in SaaS solutions? Maybe now’s the time to find out.
Build for a stronger tomorrow
Long gone are the days when businesses could shy away from clearly understanding the technology-related risks they face, and could solely rely on board members who often do not have sufficient levels of technical expertise to identify and mitigate those risks, or overly rely on external suppliers without the ability to be as challenging as may be required. The clear and competent mapping of businesses key processes and vulnerabilities, and the ensuing development of robust business continuity plans to mitigate these risks will help you sleep sound at night.
We’ve all worked hard during the pandemic to continue in business, despite the challenges we’ve faced. Now’s the time to pause, recollect and learn from what the last year has taught us.
Your teams have adapted and supported your clients through tough times. Your systems have withstood unplanned home working. By reviewing and improving your business continuity plan, you can emerge stronger and be ready for whatever is to come.
This blog is one of a series of articles from our commercial partners.
The views expressed are those of the author and not necessarily those of ICAS.