We recently started seeing a requirement for "BCDR" as opposed to "BCP" from customers tendering for some public sector contracts (in particular named Schedule 14 for business continuity and disaster recovery for the Mid-Tier Contract). This post examines what BCDR means and explores how SMEs can adapt your BC capability to satisfy the requirement, based on our experience of helping affected clients.
The challenge of meeting the BCDR requirements
The definition of DR and what it means for SMEs
DR is widely understood to refer to IT Disaster Recovery. That’s not what’s meant here, and in this context, refers to Disaster Response - delivering a planned immediate response to contain extreme situations where operation might otherwise stop altogether. The BC part then ensures we have procedures and capabilities for recovering from any resulting business disruption.
Larger organisations often have separately defined business functions that deal with incident (DR) response, recovery (BC) and crisis management (CM). Few SMEs have the resources to support this and benefit from a unified response that includes all three components. BCDR is therefore beneficial, particularly if you don’t already have an incident response.
The statement of requirement (SoR) may not support an effective response
The statement of requirement (SoR) we reviewed is around 6 pages of semi-legal wording. It anticipates a compliant response from all tenderers, seeming to ignore the possibility that some or all might have workable tested plans of varying structure and maturity.
The SoR imposes structure, sequence and content. We feel the result is not entirely beneficial; for example, when responding to an incident, you don't need to read all the principles and operating procedures behind BCDR - you simply want fast access to minimum guidance that recovers your business. The structure is (probably) imposed partly to make assessment easier and takes no account of whether it tears up a previously working, tested and familiar BCP.
Different contracts may require different BCDR plans
Potentially, the SoRs we’ve seen or ones like it could be adopted in all or many public sector tenders, or they could be regional or one-off initiatives. If it’s the former, then there is value in creating and adopting a compliant BCDR plan; if it’s the latter, then be prepared to re-invent or defend your BCP for every new tender.
Additionally, the SoR is only interested in the services that are being contracted. If you provide different services in other contracts, you may need to create new BCDR plans to satisfy each requirement.
What are your options?
Clearly, if you don't have any BCDR capability or documents, you’ll need to write material that satisfies the SoR. However, even if you have a mature working BCP you may still have work to do to accommodate its requirements. As we see it, you have three main options:
Option #1
Rearrange and redefine your BCP to accurately reflect the SoR
The resulting unfamiliar, untested plan may undermine any capability or proven design you’ve built up but increases your chances of winning this and future public sector tenders. It may be expensive and take a while as you’ll need to rewrite documents, train staff and run tests using the new plan.
Option #2
Document a new BCDR to satisfy the contract, but retain the original familiar tested plan
As above but no adoption i.e. document-only and retain the original familiar tested plan. This becomes impractical if the requirement includes exercises and tests. It may also be unacceptable from the tenderer’s point of view.
Option #3
Demonstrate and explain how your current BCP satisfies the SoR
Demonstrate and explain how your current BCP satisfies the SoR and any specific additions or changes you’ve made to comply. This preserves your existing capability but may be rejected. This is worth exploring as it’s the least effort option, provided you already broadly comply.
In each case, you need to check thoroughly and add any required capabilities or components that are missing from your current approach.
Our Suggested Approach
Fortunately, and depending on the status of your existing BCP, we believe much of what the SoR demands can be satisfied using the following steps:
- Write a Section 1 Governance Framework containing all the policy and administrative related aspects of the requirement. It can also document alignment with ISO 22301 BC standard, records tests, reviews, roles and so on. It could include or refer to a continuity impact and risk analysis that maps dependencies, identifies operational failure modes, and defines scenarios.
- Write a Section 2 Business Continuity Plan that provides an umbrella document for responding to all disruptions, irrespective of size or severity. It should include a decision guide and flowchart that help you decide whether to invoke DR (Section 3) or not, and a generic response detailing the processes, options, and responsibilities to be adapted when dealing with disruptions that don't satisfy DR invocation criteria. It should include a generic communications plan and a compliance page that clearly maps each required feature to the SoR (see below).
- Write a Section 3 Disaster Response Plan comprising a collection of scenario runbooks for selection, adaptation and use if the DR invocation criteria are met. The DR plan should be enabled and facilitated by the provisions and strategies identified in the BC document.
- Create and obtain policy backing for a 2 or 3-year schedule that clearly sets out when and to what extent you will train your team and test your BCDR Plan. Log and report on every BCDR event as part of the permanent record.
- Review and update your documents at least quarterly, obtaining executive sponsor signoff.
If you need help with meeting BCDR requirements in tenders, click on the link below, or get in touch via the contact page.
