Part 1 examined the identification and communication of the business continuity plan’s changes. Part 2 will look at the implementation itself: documentation and guidance, monitoring compliance, and remediation.
Document and guide
It is not enough to tell everyone what the changes are. Management must also ensure their staff understand what changes have been made. While every member of staff will need guidance, there are many ways it can be documented:
Publishing a formal guidance note. Publishing can vary, but in smaller companies a notice placed in a central location will suffice. In larger companies guidance can be emailed or published on a corporate intranet. In operational environments, staff will need to see which steps of their projects have changed. For sales and more senior management, only the main changes probably need to be communicated.
Cascading via the management lines with middle mangers informing their teams. In a medium sized or larger company, this could be a team leader explaining the changes. In a small company, the owner can explain the changes to everyone.
Changing access to systems so that those who do not have approval or are no longer part of a process do not execute unauthorized transactions
Management should consider if formal documentation is required and, if so, make it available to all those affected. The documentation should include an approver, most likely a member of management, and an owner who is responsible for its implementation. In some cases, an additional contact person may be necessary who will answer general questions regarding applicability and changes to individuals.
Every change is expected to be followed; however, staff, customer, and vendor non-compliance with the new way of working sometimes happens. Sometimes this is intentional; however, in most cases it is due to misunderstanding or a management failure to fully implement changes. Monitoring compliance will help management close the gaps between expectations and reality and prevent any associated losses. There are two way to monitor compliance:
Set a control which requires a specific action, delivers an update, or prevents execution. These can be managed in a system. For example: If staff may no longer travel, access to the travel request system is blocked. Alternatively, if there is a specific vendor, for example a travel agent, contact that agent and advise them not to book any travel for employees.
Request evidence of compliance from those who are affected. Management may want to see that the changes have been implemented. For example: Managers must send the department head a new supplier’s set of financial statements to confirm their business is healthy.
Systems can send reports which managers can review for non-compliance trends and breaches of policy or protocol. Mangers do not necessarily need customised reports; they can request a quality assurance team to review for them and recommend changes.
Management must remediate weaknesses which allow non-compliance or changes which did not yield the intended output. There are two areas which might require remediation:
Staff do not comply with the changes and approve or execute transactions without authority. Management should develop an appropriate remediation plan which includes reminding staff of the changes, warning them, and if it continues, dismissing them from the company.
The change is not working or not effective and business operations are not performing as expected. Changes may have put too much work on a member of staff or management is not able to cope with the amount of approvals. If this is the case, management must determine if they want to change the process again or delegate some of the authority back. It might also be a signal that the change was not needed. (There is nothing wrong with reversing the decision!)
In some cases, the changes can continue without making major remediation and management can accept the risks of continuing.
The business continuity planning and implementation does not stop here. Management must constantly reassess the changes made and determine whether they should be developed further or if the company can go back to business as usual. Management can also review whether the business continuity model should be implemented as business as usual. This will be discussed in the next part.