236 - How To Create an Effective Business Continuity Plan
A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack. Here's how to create one that gives your business the best chance of surviving such an event.
We rarely get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.
This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.
What is business continuity?
Business continuity (BC) refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cybercriminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.
Many people think a disaster recovery (DR) plan is the same as a business continuity plan, but a DR plan focuses mainly on restoring an IT infrastructure and operations after a crisis. It's actually just one part of a complete business continuity plan, as a BC plan looks at the continuity of the entire organization.
Do you have a way to get HR, manufacturing and sales and support functionally up and running so the company can continue to make money right after a disaster? For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? The BC plan addresses these types of concerns.
Note that a business impact analysis (BIA) is another part of a BC plan. A BIA identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your BC plan, which can come with its own risks. The BIA essentially helps you look at your entire organization's processes and determine which are most important.
Why business continuity planning matters
Whether you operate a small business or a large corporation, you strive to remain competitive. It's vital to retain current customers while increasing your customer base — and there's no better test of your capability to do so than right after an adverse event.
Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions?
Your company's future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company's reputation and market value, and it can increase customer confidence.
"There's an increase in consumer and regulatory expectations for security today," says Lorraine O'Donnell, global head of business continuity at Experian. "Organizations must understand the processes within the business and the impact of the loss of these processes over time. These losses can be financial, legal, reputational and regulatory. The risk of having an organization's "license to operate" withdrawn by a regulator or having conditions applied (retrospectively or prospectively) can adversely affect market value and consumer confidence. Build your recovery strategy around the allowable downtime for these processes."
Anatomy of a business continuity plan
If your organization doesn't have a BC plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a BIA.
Next, develop a plan. This involves six general steps:
- Identify the scope of the plan.
- Identify key business areas.
- Identify critical functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function.
- Create a plan to maintain operations.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.
Remember that the disaster recovery plan is part of the business continuity plan, so developing a DR plan if you don't already have one should be part of your process. And if you do already have a DR plan, don't assume that all requirements have been factored in,O'Donnell warns. You need to be sure that restoration time is defined and "make sure it aligns with business expectations."
As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share "war stories" and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid plan.
The importance of testing your business continuity plan
Testing a plan is the only way to truly know it will work, says O'Donnell. "Obviously, a real incident is a true test and the best way to understand if something works. However, a controlled testing strategy is much more comfortable and provides an opportunity to identify gaps and improve."
You have to rigorously test a plan to know if it's complete and will fulfill its intended purpose. In fact, O'Donnell suggests you try to break it. "Don't go for an easy scenario; always make it credible but challenging. This is the only way to improve. Also, ensure the objectives are measurable and stretching. Doing the minimum and 'getting away with it' just leads to a weak plan and no confidence in a real incident."
Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.
Common tests include table-top exercises, structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
A table-top exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.
In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind.
Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
It's also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.
Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.
During each phase of business continuity plan testing, include some new employees on the test team. "Fresh eyes" might detect gaps or lapses of information that experienced team members could overlook.
Review and improve your business continuity plan
Much effort goes into creating and initially testing a BC plan. Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.
Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you've had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.
How to ensure business continuity plan support, awareness
One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. If employees don't know about the plan, how will they be able to react appropriately when every minute counts? Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It'll have a greater impact on all employees, giving the plan more credibility and urgency.