Business Continuity Management and Brexit

There are opposing views to the benefits or not of Brexit, but whichever side of the argument you fall on, you will always want to know that your business is resilient and will survive whatever life throws at it. One of the best ways of achieving this is with Business Continuity Management (BCM).

By Andy Fyfe, Head of Resilience, Buckinghamshire County Council.

BCM is what a business can do to ensure the continuity of its ‘critical activities’ in the event of a disruption to its internal services, whatever the cause. Critical activities are those without which your business will fail. You identify these through an assessment process (a 'Business Impact Analysis'), though many SME owners will know most of them instinctively. If something isn't 'critical', then you don't need to focus on it immediately, as a temporary loss will not have a critical impact on your business (just keep an eye out for how long you can do without it!).

Once you know what your ‘critical activities’ are, it’s helpful to know what resources you need to deliver them – people, premises, equipment, ICT software / hardware etc. When thinking about that, you may identify gaps in your resilience which you could fix now – for example, the door with only one key-holder – or issues that may need more consideration, such as the single warehouse with all your stock in, or, with Brexit in mind, the staff that come predominantly from the EU. Are these acceptable risks or do you need to develop some mitigation?

You should also consider your critical interdependencies – who do you rely on to deliver your critical activities? And who do they rely on? This is a big one, not least for Brexit planning.

Think about the following issues:

  • What is your supply chain resilience? Where do the components for your critical activities come from? The EU / US / Asia? What are the implications? What about your provider’s provider?
  • What about service provider resilience? Can your contracted service provider still deliver for you to contract? What does your contract say?

You might also want to consider:

  • Are you a provider of services to others and what happens if you suddenly cannot guarantee your services? What will your clients / customers do?
  • If you want to get into a market, will the ability to show your resilience benefit your business case? (Note: for most public sector organisations, it will be a regulatory requirement for the service provider to be able to demonstrate their resilience through a BC Plan).

Business Continuity Planning Assumptions

As mentioned earlier, BCM is concerned with disruption, whatever the cause. In BCM, we plan to continue with critical actions in the event of the consequences of various risks, as opposed to specific risks themselves. In that, there is a greater degree of resilience. So how does that work?

If you focused just on hazards, you might end up with a long list, for example: flu pandemic / epidemic, SARS, MERS, other contagious illnesses etc. Arguably you could devise a plan for each or wrap it into a communicable human health plan - but realistically, you are unlikely to. But if you focus on planning for a 'loss of staff', not only do you cover these examples, but you cover every other eventuality that might occur and which results in a loss of staff. These are BC Planning Assumptions, and could include loss of staff, premises, IT, Telecoms, fuel, electricity, water, gas etc.

The Government have provided a list of Business Resilience Planning Assumptions, which should be extended to include loss of IT. A BC planner would need to consider how to continue the identified critical activities in the event of each of these planning assumptions – or indeed a combination of them (for example, a total loss of electricity has multiple consequences, including in a worst case scenario the loss of water, IT, telecommunications, fuel etc).

The outcome of this would be a checklist of possible actions required to mitigate the risk, or an identified gap requiring further work – for example, identifying a secondary warehouse for stock that would then be built into the final BC Plan. At all stages of the BCM process, the outcomes should be consolidated and it is these that will eventually be pulled together with other details, such as checklists, contact lists, and maps to create an effective BC Plan.

More information and support

There is a BCM International Standard (ISO22301) and for more information and practical support and guidance, there is the Business Continuity Institute (BCI). The Thames Valley Local Resilience Forum has also developed a Community Risk Register which summarises some of the key risks facing the Thames Valley and identifies some measures that can be undertaken to mitigate them.

Bringing the subject back to Brexit, the Government has published 'Technical Notices' for specific businesses / sectors, but for many smaller businesses these are not always relevant.  With that in mind, BCM should be considered a fundamental part of modern business resilience, a pre-requisite for public sector contracts, a critical difference between your and other similar businesses in the marketplace, and as a priority for ensuring that a business is ready for the consequences of Brexit – whether risk or opportunity.

Going forward, there is an intention to provide more resilience-based articles in the Buckinghamshire Business First newsletter, and to organise events looking at BCM and the wider concept of Business / Organisational Resilience (Risk Management, Cyber Security etc).

Visit the 'Brexit in Buckinghamshire' page

We have a dedicated Brexit page on our website that features resources and information relevant to businesses navigating the UK's departure from the EU.

Buckinghamshire Brexit Summit

The second Buckinghamshire Brexit Summit will take on Wednesday March 6th 2019, as part of the Buckinghamshire Business Festival.

Cyber security event - April 24th-25th

CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

The event takes place on April 24th-25th at the Scottish Event Campus in Glasgow.

Registration is now open and places cost £700 +VAT. There are a limited number of discounted places available for SMEs. To enquire about this, email

Further information is available at

Business community ambassadors