As you ride in on the 6:34 train, something isn't quite right. There is restlessness in the carriage. The Blackberries and iPhones that usually spark work and conversation are silent. The networks are jammed. Something has gone badly wrong. A major national crisis. Your organisation's future now rests on your business contingency plans. How confident are you in yours?

Common assumptions about business contingency

The weather, the economy, terrorists, natural disasters - they all have the potential to threaten our livelihood at any time. Yet they remain the nightmare we fail to effectively prepare for.

For too long it has been treated by organisations as a low-priority overhead, and the results are plain to see: passengers walking to safety through the Channel Tunnel when snow caused trains to breakdown; the English tourist industry crippled by the uncontrolled spread of Foot and Mouth disease.

When we know incidents like this can and do occur, why do so many organisations continue to get business continuity management wrong? Common mistakes are:

Lack of effective planning

Some contingency plans just don't exist, whilst those that do are often ineffective, overly complex or incoherent. Many prepare for highly specific and anticipated crises, but fail to predict what actually happens. Worse still, many planned responses are well thought out but based on old information or business imperatives that no longer exist. The Foot and Mouth outbreak in the early noughties is a good example of bad practice: the contingency plan was focused entirely on the protection of the meat export trade, critical when the plan was originally drawn up, but at the time of the crisis worth only £592m, not nearly as significant to the UK economy as the at-risk £64bn generated by British tourism - that was left unprotected and unplanned for.

Lack of practice

Plans are essential, but will amount to nothing if they are not practiced on a regular basis. Examples of failover generators failing to start when mains power is lost, or running out of fuel shortly afterwards are too numerous to mention. Then there are the back-up data centres that should take control the moment something happens to the main data centre (such as a flash flood or a power failure), but can't take control because their servers have been gutted for spares to keep equipment running elsewhere.

Then of course there are the staff that don't know their roles and responsibilities because they are different to their day-to-day job. Without practice, no plan will work.

Lack of flexibility

You have a plan and it's a work of art – all the scenarios are planned for, resources have been ring-fenced and you have even practiced failovers from one London office to another. Then a terrorist incident occurs and the security forces use the M25 to seal off the whole of London. Your plan then fails because everything has been practiced except the use of people's initiative to respond to the unexpected – in this case, that nobody could get into either office.

It was the British Army who finally brought the Foot and Mouth crisis under control, not through deep knowledge of the original Ministry plans, but by taking a flexible response to the real situation they found in front of them – vets delayed by hygiene procedures and thousands of unburied carcasses.

You need to retain an element of flexibility in your plans, and stretch staff running them by exposing them to the unexpected on a regular basis.

How do you get business continuity management right?

Planning for a crisis requires a well thought out, methodical approach. At Moorhouse, we think that business continuity management (BCM) should be run as a programme with a deferred implementation phase, rather than as a back-office operational overhead that is underfunded and largely ignored.

Good BCM will not only protect your organisation from the negative impact of an incident, but may also allow it to exploit the situation, as less well prepared competitors struggle to keep going. Loyalty to those who are able to help in a crisis is likely to be far greater than to those who save you a few pounds in normal times.

There are three key steps to this approach:

Action 1 – Organise and prepare as a programme

The programme team should develop a BCM strategy that suits the organisation, taking into account such items as critical business activities and their maximum tolerable periods of disruption. The strategy should address resources such as people, premises, technology and information, and cover all three phases of BCM: incident response (typically the first few hours), business continuity (days, possibly weeks), and recovery of normal service (days to weeks, depending on the incident). Major stakeholders including customers, suppliers and the press should be identified and catered for.

Clear roles and responsibilities are of even greater importance in BCM as confusion can paralyze the whole organization very quickly. A person with appropriate authority must have overall responsibility for BCM and be accountable to top management. An incident management location and alternative must be chosen from where the response can be managed.

All pre-incident preparations should then be made and clear plans for the deployment or 'response' phase developed. The plans should address a small but comprehensive set of generic incidents rather than a myriad of variations on a theme (e.g. develop plans for significant absence of staff rather than for swine flu specifically). Plans must be clear, simple and kept up to date.

Action 2 – Practice the expected and the unexpected

There's a saying in the military that no plan survives the first round of battle, yet the military are known for their detailed planning. What must be understood is that their plans get them to the 'start line' and prepare them for the battle ahead. They ensure sufficient ground troops are in the right location with adequate air and artillery cover, and uncommitted reserves are set aside to tackle incidents that cannot be foreseen.

Then they practice, and where possible, they use other friendly troops to play the enemy so that they can practice responding to the unexpected (something the real enemy is always rather good at), as well as the expected, and so they learn to be flexible. This is fundamentally why the British Army was so successful in bringing the Foot and Mouth incident under control: they practice responding to the unexpected, and using their initiative.

So it is with BCM. Plan, prepare and then practice both the expected and the unexpected. If the plans include running operations from a second site – practice doing just that, and then, without warning, evacuate the second site as a result of a fictitious, but realistic reason. Encourage those who rise to the challenge by coming up with innovative solutions; coach those who accept defeat.

Action 3 – Communicate

As with any programme, there should be a communications plan that addresses all the stakeholders, but don't forget - communications need to be reliable, robust and controlled in a crisis. Mobile phones may well not work (as during London bombings in 2005), and e-mail is too slow to be of use. If the incident response centre can't communicate with the workforce in both directions, then control cannot be exercised, and feedback (on the unexpected), can't take place. Consider using radios or Skype phones, but both must be set up and training given before they are used or they will just add to the confusion.

Then there's the press who want a story. Either give them one or make sure there isn't one. If you leave it to chance then they will make up their own story, based on the little they actually know, putting you on the defensive trying to correct the story after your reputation has been lost. Look at the press pictures from the Foot and Mouth outbreak: Britain in flames did little to help the tourist industry.

Conclusion

The recent ash cloud disaster should be the last reminder you need to get your business continuity right. Natural and man-made disasters can and do happen to everyone. By running business continuity management as a programme with a delayed, but well rehearsed, implementation phase, you stand the best chance of not only protecting your organisation from the negative impact of a major incident, but also positioning it to take advantage of such a situation when less well prepared organisations struggle. If your product keeps working, or your phone lines stay open when disaster strikes, word will get around. Trouble and strife tends to focus the minds of those affected onto those who can help.