We recently started seeing a requirement for "BCDR" as opposed to "BCP" from customers tendering for some public sector contracts (in particular named Schedule 14 for business continuity and disaster recovery for the Mid-Tier Contract). This post examines what BCDR means and explores how SMEs can adapt your BC capability to satisfy the requirement, based on our experience of helping affected clients.
DR is widely understood to refer to IT Disaster Recovery. That’s not what’s meant here, and in this context, refers to Disaster Response - delivering a planned immediate response to contain extreme situations where operation might otherwise stop altogether. The BC part then ensures we have procedures and capabilities for recovering from any resulting business disruption.
Larger organisations often have separately defined business functions that deal with incident (DR) response, recovery (BC) and crisis management (CM). Few SMEs have the resources to support this and benefit from a unified response that includes all three components. BCDR is therefore beneficial, particularly if you don’t already have an incident response.
The statement of requirement (SoR) we reviewed is around 6 pages of semi-legal wording. It anticipates a compliant response from all tenderers, seeming to ignore the possibility that some or all might have workable tested plans of varying structure and maturity.
The SoR imposes structure, sequence and content. We feel the result is not entirely beneficial; for example, when responding to an incident, you don't need to read all the principles and operating procedures behind BCDR - you simply want fast access to minimum guidance that recovers your business. The structure is (probably) imposed partly to make assessment easier and takes no account of whether it tears up a previously working, tested and familiar BCP.
Potentially, the SoRs we’ve seen or ones like it could be adopted in all or many public sector tenders, or they could be regional or one-off initiatives. If it’s the former, then there is value in creating and adopting a compliant BCDR plan; if it’s the latter, then be prepared to re-invent or defend your BCP for every new tender.
Additionally, the SoR is only interested in the services that are being contracted. If you provide different services in other contracts, you may need to create new BCDR plans to satisfy each requirement.
Clearly, if you don't have any BCDR capability or documents, you’ll need to write material that satisfies the SoR. However, even if you have a mature working BCP you may still have work to do to accommodate its requirements. As we see it, you have three main options:
The resulting unfamiliar, untested plan may undermine any capability or proven design you’ve built up but increases your chances of winning this and future public sector tenders. It may be expensive and take a while as you’ll need to rewrite documents, train staff and run tests using the new plan.
As above but no adoption i.e. document-only and retain the original familiar tested plan. This becomes impractical if the requirement includes exercises and tests. It may also be unacceptable from the tenderer’s point of view.
Demonstrate and explain how your current BCP satisfies the SoR and any specific additions or changes you’ve made to comply. This preserves your existing capability but may be rejected. This is worth exploring as it’s the least effort option, provided you already broadly comply.
In each case, you need to check thoroughly and add any required capabilities or components that are missing from your current approach.
Fortunately, and depending on the status of your existing BCP, we believe much of what the SoR demands can be satisfied using the following steps:
If you need help with meeting BCDR requirements in tenders, click on the link below, or get in touch via the contact page.