How to Establish Your Business Continuity Plan
Why Every Company Needs a Business Continuity Plan
A Business Continuity Plan is a formal document that outlines how your business will continue to operate during an unforeseen emergency. This includes a wide variety of events, such as:
- Natural disasters (such as fire, flood, or earthquake);
- Power outages (which can cripple a healthcare facility or manufacturer);
- Virus outbreaks (like COVID-19);
- Long-term internet disruption;
- Cyberattack (which can compromise entire networks and expose sensitive client data, patents, patient history, and customer bank accounts);
- Cloud provider outage;
- Critical vendors being compromised or going out of business; or
- The sudden loss of an owner or other key player.
A Business Continuity Plan can keep your business up and running during the worst of circumstances. It can also help protect your brand and retain customers, safeguarding your company over the long-term.
It’s a bit like insurance. You invest in it and hope you never need it. But when you do, a well-written Business Continuity Plan can mean the difference between protecting your livelihood and losing your business.
What You Should Include in a Business Continuity Plan
A comprehensive Business Continuity Plan (BCP) should include contingencies for everything from business processes and technology to human assets and physical locations. Specifically, it should contain:
- Disaster Recovery Plans for every conceivable emergency scenario, detailing how critical operations will be maintained during short-term and long-term outages;
- An Information Technology (IT) Disaster Recovery Plan, covering data security and accessibility, as well as software, hardware, and equipment requirements;
- A Crisis Communications Plan, detailing how the company will communicate its situation to customers, patients, vendors, shareholders, and the general public;
- An Employee Assistance Plan, outlining what management expects of employees during the emergency, and how they will support employees during the disruption.
The Four Areas of a Business Continuity Plan
Business Impact Analysis
A business impact analysis (BIA) is a systematic process used to evaluate the potential effects of an interruption to critical business operations. During this risk assessment, operational and financial consequences should be considered for different loss scenarios, capturing the impact of a pandemic versus a cyberattack, for example.
Here are a few important things to consider in a BIA:
- Identify all critical business functions and processes. Record how each task is performed, who performs it, and the impact on the business should it be interrupted. Consider the effect for a day, a week, a month, and so on.
- Identify key contacts for every department and division and their responsibilities.
- Record the company’s organizational structure and identify alternate points of contact, should the structure be disrupted (for example, if a team leader were to become incapacitated).
- Consider all vendors the business relies on. How would a business interruption impact them? How would you be affected if they had a business interruption? Identify “Plan B” vendors if they are critical to your operations.
There are many tools available to help create and organize a BIA, including questionnaires, data flow diagrams, and BIA software that can help you gather the necessary data.
After identifying the critical components, you must prioritize them. Identify what resources you have in place currently to protect the company from a negative consequence. Then conduct a gap analysis to determine what additional support you require to get things running again in the event of an emergency.
Keep in mind that recovery strategies may vary along with the disaster that has occurred. For example, if your network is compromised, who knows how to stop the breach and restore your backups? If you have to evacuate your space suddenly, how would you replicate your working environment?
This is the stage when everything comes together in a formal document that will ultimately be shared with all relevant personnel.
- Document a framework for how recovery will take place, organized by department and solutions.
- Develop a recovery team that will be responsible for oversight and coordination. All members should have copies of the plan on a flash drive and printed inside a binder.
- Identify relocation plans, should your physical space become compromised, or an evacuation becomes necessary.
- Consider manual workarounds for all critical processes, should your technology or machinery become compromised or inaccessible. For example, can scheduling or reporting be completed in an old-fashioned way (paper and pencil)? Should schedules, appointments, or deliveries be printed daily, so customers and patients can be contacted in the event of an office disruption?
In addition to the above, you will need a comprehensive IT Disaster Recovery Plan that addresses the company’s data, software, and hardware needs, as well as accessibility. For example, in the event of a cyberattack, how will you stop the breach, recover your data, and keep operations running in the process? Should your office be inaccessible for any reason, which employees can work from home, and how will they do so? You’ll need to consider remote access, security protocols, software and hardware needs, and much more.
Testing and Training
Every aspect of a business continuity plan must be tested and proven. Everyone must know what is expected.
- Begin by simulating different types of disasters. Ask yourself: what worked, what could have gone better, and what was forgotten?
- Update the plans according to your findings, and test again.
- Train staff on all relevant aspects of the plan, and ensure the processes are documented so new employees can quickly be brought up to speed (you never know if a disaster can happen during an employee’s first week).
- Ensure there are multiple copies of the plans, on-site as well as off-site, in print as well as digital.
- Update the plans as needed to account for new technologies, infrastructure, processes, team members, etc.
Failing to Prepare is Preparing to Fail
Businesses fall into three categories when it comes to business continuity planning:
- Those with a formal plan are quickly able to resurrect their operations in the event of an emergency. It is likely these businesses already planned for work-from-home scenarios, and in the current pandemic, experienced minimal downtime.
- Businesses with drafts of untested plans and loose guidelines may or may not be able to mitigate their losses. In the case of COVID, most companies had time to fill the gaps in their planning and get their teams operational. Had the emergency been an immediate shutdown due to a natural disaster or cyberattack, this group may have suffered more.
- Businesses who have placed business continuity planning on the back burner, hoping never to have to deal with it, suffer the most. These companies are left exposed to business interruption, data loss, revenue loss, as well as eroding customer trust, long-term lost business, and a jeopardized brand.
Emergencies capable of crippling a business can happen at any time, to a business of any size. Don’t get caught unprepared. Feel free to contact us if you would like to discuss your Business Continuity Plan.