"Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.”
In order to fully prepare your business in this way you must develop a business continuity plan. A business continuity plan establishes and details out all the business’ essential functions, policies and procedures for all areas of the business to bring the organization back to full functionality as easily and quickly as possible.
For each department or section of the business, your continuity plan should detail:
- All department functions and responsibilities
- Possible unique risks to the department as well as the business as a whole
- All essential systems and processes that must be kept running
- How to keep those essential systems and processes running in various disaster scenarios
Why is this Important?
Other than the obvious reasons like peace of mind that your business has a plan, and the future benefits in the event of an actual disaster, why is it important to spend the time developing a comprehensive continuity plan?
Increased Customer Confidence
When your customers know you’re prepared for anything, their confidence in your ability to provide them with the product or service they’ve come to rely on increases. An increased confidence in your business leads to an increased brand perception and positive reputation with customers, vendors, and prospects.
Increased Employee Confidence
Let’s be honest we all want to work somewhere we feel secure, and that doesn’t just mean in our individual positions. A continuity plan indicates to employees that, should the business face disaster, you’ve made every effort to ensure they still have a role and a place to work. Your continuity plan also helps outline communication procedures both in the event of a disaster and on a day-to-day basis leading to more informed, involved and happier employees.
What's the Difference Between Disaster Recovery and Business Continuity Planning?
To be honest, there isn’t a huge difference other than the fact that disaster recovery planning is highly focused on one area of the business, the information technology division. Disaster recovery plans are focused on ensuring the security, recoverability, and accessibility of the company’s technology and data assets post-disaster while a business continuity plan looks at the business as a whole and develops processes and procedures for each division.
So if you’ve already developed a disaster recovery plan you’ve already finished one section of your business continuity plan!
Before Creating your Business Continuity Plan
Before diving into your plan it’s important to have a complete understanding of some basic needs for your business, and what disaster scenarios and risks you actually need to be planning for.
Decide on Your Team
Developing a business continuity plan is not a small task, and should not be attempted alone, especially in larger companies. It’s important to include individuals from each division of the business, preferably individuals who have decision making abilities.
Because the goal of a business continuity plan is to develop, implement and communicate the outcome of the plan to the entire organization, it’s important that this team include a diverse group of employees. So when you’re deciding who should be part of your team look at years with the company, what division they work in, and their communication and organizational abilities.
Determine the Essentials
“Essentials” really breaks down into two categories: essential services and functions, and essential staff requirements.
Essential Services and Functions
These are the services/functions that when not delivered, or performed:
- Create an impact on individual health and safety, whether that be employees or customers
- Could lead to the failure of the business if not performed in a certain period of time
- Would create either an immediate or long term business impact
- Would cause the business to no longer be compliant with mandatory regulations
Essential Staff Requirements
Part of the business continuity planning process is determining which staff members are vital to keeping the business operational and maintaining the essential services and functions defined above. You need to understand and list out the needs of each staff member to perform their specific job. Whether they be certain equipment/technology, certain skills, or even access to the rest of their team, you need to make sure your business continuity plan includes all of this.
Perform a Business Impact Analysis
A business impact analysis (BIA) can help you determine all of the above essentials, as well as help you define all the potential risks your business faces, which is a vital part of building your plan.
A BIA is a “systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency”. As you go forward and develop your plan, all of these risks will need to be at the forefront of your mind. We recommend writing them all on a whiteboard in your office or conference room, that way they are seen and reinforced through the whole planning process. After all, you can’t plan a response when you don’t know what the actual risk is.
Developing your Plan
Essential Functions, Services and Staff
The first part of your plan will be developing policies and procedures for every essential service your business provides, every major department involved in developing or performing these services and the functions each of your employees perform on a day-to-day basis. These sections need to include:
- A description of the services or function
- A list of who is responsible for implementation and communication of both the plan and the overall strategy when the business is running at full capacity
- Main & secondary contacts and all their information
- Potential risks to the business as a whole, and the unique risks for this particular division, and the business impact of each
- Plans for communication, staff relocation, suppliers, and how to access required resources/various needs
Once you’ve detailed out plans for the essential functions, services, and staff it’s important to put together a comprehensive list of anyone within the organization who would need to be alerted should a disaster occur. Ask yourself:
- Who needs to be informed?
- How do I contact them outside if I can’t use their company provided email/phone number?
- What role do they play in the recovery efforts?
- What information do they need to perform their role?
Keep in mind you may also want to prioritize who gets contacted. If there are individuals who are essential to the recovery efforts you will obviously want to contact them first to get them to work, while others it may be ok to contact once the initial shock has been dealt with and recovery efforts are underway. This is something you will want to indicate in this contact list.
Once your employees have been informed it’s time to inform customers. Just as with your internal staff you will need to have a list of customers that would need to be informed of potential disasters or disruptions to your services/products.
This list should include:
- Name and contact information
- What products/services they utilize
- Any recovery time estimate/information you have that will settle their fears about your business and ability to work with you in the future
- Any other information they may find necessary or helpful.
This section of your business continuity plan should also include information for your employees who are contacting your customers with details on what to say, what not to say, and the established procedures on how to get in contact with your company during the recovery period.
Vendors and Business Partners
Now it’s time to make a similar list to the two above, but for everyone connected to your business that is not a direct employee or customer. These individuals include:
- Those who rely on your business for information
- Those who provide your business with a service/product (insurance, security, facilities, legal, outsourced departments, etc.)
- Anyone that has any financial interests in your company
Keep in mind that should the disaster be a data breach or something similar, this list will also include any government agencies that need to be informed.
These entities may not have a direct involvement in the short term recovery efforts but will need to be informed of the ongoing efforts and may have a part to play in the long term recovery of the organization.
Review, Revise, Test
Review and Revise
Once you’ve completed the plan it’s important to come together with the entire team to review it. In this phase of planning it’s essential that you ensure all the sections of the plan are detailed, that all possible risk scenarios have been discussed and that all the procedures are clear and consistent ensuring everyone’s ability to understand and follow procedures in a uniform fashion.
A thorough review should give the team initial indicators to anything missing, allow you to make changes and gives the entire team a chance to discuss the implementation process.
Test, Test, Test
This part of planning is extremely important. If you don’t test the policies and procedures, you can’t be 100% confident in your plan, and if you’re not 100% confident, what was the point in creating it? Your tests should be based around realistic and challenging risk scenarios that you discovered in your BIA. If you’re prepared for the worst, smaller scenarios will be handled just as well.
Cio.com talks about 3 different ways to test your business continuity plan:
- Table top testing. This test is similar to an all team review. Usually this is done in a conference room with all teams represented, where everyone pours over the plan in regards to various risk scenarios.
- Structured walk through. In a structured walk through each team member walks through their section of the plan in front of the whole team with a specific disaster in mind, to identify and correct weaknesses. This may include disaster drills or role-plays to ensure every detail has been addressed.
- Disaster simulation. A disaster simulation requires not just the business continuity planning team but everyone in the company, vendors, and essential outside personnel to simulate recovery efforts in the event of a disaster. Disaster simulations not only test the plan itself, but also your employees ability to execute the plan, while bringing in fresh eyes/perspectives that may detect unseen issues or gaps.
After all of these tests it’s important to regroup, combine your notes from each test, and make any necessary changes to the plan.
Don't File it Away
Now that all the work is finished and your plan is ready to be put to use in the event of a disaster, don’t forget about it all together. While the majority of the work is done it’s important to remember that this is a living document and should be reviewed annually or when any major organizational changes occur.
As your business changes, your plan will need to change too. You don’t want to find yourself in the middle of a disaster five years down the road realizing that your entire plan is obsolete, and no one knows what they need to be doing.
Business continuity has also been called organizational resiliency, so while building a plan might seem like a lot of work and that you have more important things to do, the importance of having that plan and having a business that is resilient in the face of a disaster is worth all the time spent creating it. As a company who has worked with businesses experiencing disasters, the proactive, resilient and prepared companies always fare far better than those who attempt to recover their business in a purely reactionary way.