While there are many conflicting statistics about if and how long a business will stay afloat after it has experienced a disaster, one thing is certain, we are witnessing an increasing number of incidents from natural disasters, accidents, sabotage, power and energy disruptions, environmental disasters and cyber-attacks. Is your business prepared to weather one of these events? Do you have a plan that will enable your organization’s critical services or products to be continually delivered to clients? If not, it is time to build your business lifesaver. The diagram bellows shows 7 key steps to develop a business continuity plan.
Where to start?
The first step in creating your plan is completing an as-is analysis to identify the critical activities in your organization. Once you know what is most important, prioritize the activities for continuous delivery versus recovery, estimate the time required to recover and the issues that are unique to your organization or that are highly complex. Financial impact should not be overlooked: how long can your business operate without key revenue generating products or services while incurring costs to recover?
What are your risks?
Here you need to consider internal and external threats to the critical activities identified in the previous step. Depending on your location, your risks for certain types of threats may be greater than others. For example, if you are located on the East Coast of North America, the threat of a hurricane is very high. There are some risks that you would want to consider regardless of your location and make sure your plan has specific procedures for these; fire and flood for example. You will also want to assess how tolerant management is to operating at a reduced or minimum capacity and for how long. Risk assessment is about understanding your organizations vulnerabilities and identifying ways to avoid, reduce, or mitigate the risks associated with them.
How will you respond?
Preparing for step three in the plan answers questions about how you will respond to an incident. It is the very detailed, step by step tasks and procedures that need to be taken to reduce the risk to all of your company assets. In this step of the cycle, you want to organize recovery teams, determine task recovery procedures, and develop work site and technology recovery plans. As well, you will need to consider the impact on personnel. First and foremost their immediate safety, but after the dust has settled, they will want to contact loved ones or need transportation home. This can be challenging if they have lost their personal items such as keys, phones and their wallets. In the days and weeks to follow having counseling available for them and their immediate families will go a long way in helping them feel they are a valued part of your organization. It is also useful to develop a public relations plan. How your organization handles the media can prevent negativity and can help you maintain some level of control over what the community, your staff and investors are hearing.
Plan what plan?
A plan is only useful if people know about it. Once you have developed your plan, you need to communicate it to your staff and integrate it into your company’s policies and culture so that everyone knows where to find it, what it contains, and how to use it. It should be designed for stressful and confusing situations; therefore, it needs to use simple terminology. Hard copies and electronic format should be easily accessible and, contingent on resources available, a web portal is a great tool to maintain versions and increase access. Other groups that you will need to communicate with include: your neighbors, community, customers, suppliers, and banks. Having pre-prepared messages will decrease the time it takes to communicate with these key groups when an incident does occur.
You have a plan, now what?
The only way to know if your plan will work is by testing it. Your staff needs to know what to do, where to go and how to work together. Running test exercises increase survival likelihood and minimizes impact, they can also enhance public image. To train your teams and familiarize your staff, there are three different types of exercises that can be performed: Seminar, Table-top and Live. Below is a diagram outlining their major characteristics:
Whether it is after a training exercise or a real event you have experienced, it is crucial that you update your plans and procedures to make sure you address any weaknesses in the plan. What would you do differently to better protect your business? It is important to review your plan on a regular basis to ensure that details remain current. Updating the response team members contact information is a good example of information that can quickly become outdated.
Business Continuity Planning should be a consideration at all levels of the organization from strategic planning all the way down to your daily procedures. At Chazey Partners, we believe successful recovery from a crisis event depends on your people – not on your organization’s size, infrastructure, equipment, or technologies. Our structured Business Continuity Planning approach provides pragmatic recommendations for your current BCP strategy, also offers integrated solutions to develop a BCP program suitable to your organization’s need.