June 1, 2023

Business Continuity Planning

Once reserved for large businesses with a high degree of public dependency, such as banking, hospitals or utility companies, business continuity and disaster recovery plans have become increasingly important for businesses of all sizes.  Severe weather events such as Cyclone Gabrielle have increased the importance of planning for the unexpected.

While there is no legal obligation to have such a plan, they help businesses maintain a high level of engagement with clients, customers and staff during times of uncertainty while also creating an environment that is supportive of revenue generation. Good business continuity planning also ensures your legal and compliance obligations are not accidentally overlooked during a time of high stress and uncertainty.

What is a business continuity plan?

A business continuity plan (BCP) is also known as a disaster recovery plan or an emergency plan.  Sometimes businesses split the plan into different areas that cover their response in an emergency (workplace death or serious injury, active shooter, robbery or sudden loss of digital services), disaster (earthquake, flood or pandemic) and business continuity (how we continue to work once we have responded to the disaster or emergency).

Creating a BCP

When creating a BCP it is critical to look at all elements of your business and what could happen in various scenarios.  Asking yourself questions will help form the basis of your BCP, such as:

  • What are our key services?
  • How do we deliver our services?
  • What may we lose in a disaster and how can we protect against that loss?
  • Do we need to invest in technology or training for our staff?
  • Who are our key contacts, clients and stakeholders (don’t forget the staff)? We should have a communications plan to be in touch with all.
  • Do our contracts protect the business from unnecessary loss?
  • What do we need to do to safeguard the reputation of our business?

Once a plan is in place, it is essential to test this plan with your staff.  Not only do they bring a different perspective, but it also ensures that those people ‘buy in’ to the plan, and are prepared and trained in the BCP so it will work efficiently if you ever need to activate the plan.

Regulatory and legal considerations

Employment  

Generally speaking, if your employees are ready and willing to work and, due to no fault of their own, there is no work that can be completed, the presumption is that your employees who would ordinarily be working are entitled to be paid.

This means your BCP should consider how staff can add value to the business during the period.  Additional planning should include ensuring that your individual employment agreements anticipate what may be required of your staff during a BCP event.

WorkSafe has been vocal that employers have a responsibility to help manage their employees’ wellbeing.  This is especially important during times of increased stress. Your BCP should ensure you have effective communication methods with your staff, including the ways in which the business will support them. This will help ensure that you have taken adequate steps to mitigate additional stresses on your staff.

Privacy  
During a BCP event, without adequate planning and systems in place it is surprisingly easy to breach your obligations under the Privacy Act 2020 when staff are working from home.

Having work-related documentation available in the home to non-employees, as well as access to servers on personal computers that aren’t adequately protected could lead to substantial breaches of privacy.

Availability of information  

Some business documentation must be retained for several years, for example: tax returns, safety audits, professional services audits and so on. In a disaster, if your physical premises are destroyed or inaccessible, how will you comply with the required provision of information?

Since the COVID lockdowns taught many businesses the importance of being agile in a physically restricted environment, it is reasonable to think more regulatory bodies will be intolerant of excuses around a sudden loss of data that was insufficiently backed up.

Storage of information

If your business uses cloud storage of data or remote servers for backups or emergency continuity, care must be taken to ensure all data is stored in accordance with New Zealand privacy laws.  If the data is stored offshore, the collector of the data (that’s you or your business) is responsible for ensuring it is stored and handled at a standard comparable to New Zealand’s privacy obligations.

Contract risk

Your terms of engagement or terms of trade should dictate what standard of service you are required to offer your clients or customers during a business disruption.

Equally, when you have contracts with other businesses, you should review their contract terms to ensure they will be sufficiently flexible for you during that disruption.

Preparation is key

A good BCP should help your business prepare in the face of many unpredictable environments, far beyond the basic natural disaster scenario.

The best plans are regularly reviewed, rigorously tested by business owners and staff, and are flexible to adapt to the need at the time.

If you have any questions about BCPs or would like our help in putting one together, please don’t hesitate to contact us. We are here to help.