How to Create a Business Continuity Plan
Business continuity management — more commonly known as “disaster recovery”, even in the present day — used to be about worst-case scenarios. That is: What is the worst thing that could befall my company, and how do I ensure minimal to no disruption of the company’s operations if that happens?
Being prepared for natural disasters with a Disaster Recovery Plan is the key to coping and restoration should disaster strike. In business, being prepared for disaster is the most important factor in whether your organization survives catastrophic damage by fire, flood, tornado, hurricane, or whatever Mother Nature throws at you, even a virus pandemic.
Preparing your business for disaster is called business continuity planning, which consist of understanding what critical elements of your business are not replaceable. You can always buy new computers but what about the data on the computers?
Your customer lists, intellectual property, or even your insurance policies. If your business is destroyed, then you need the data that is in your computers more than the computer themselves.
Disaster Recovery Plan
If you are not prepared for natural disasters, then you need Disaster Recovery Policies and Procedures Manual. Here, experts in the field will guide you step by step so to build a disaster recovery plan, should disaster strike, you can quickly get your business back up and running.
Download free policies and procedures to save yourself valuable time, trouble and the stress of writing your disaster recovery plan from scratch.
“What could happen” has traditionally centered on such events as:
- Natural disasters (fire, flood, storm, earthquake);
- Disasters of the human kind (terrorism, rioting, looting, virus pandemic);
- Major utility outages; and
- IT system problems (malware attacks, hardware failures, etc.).
While the likelihood of such a catastrophic event is believed to be very small, its impact – if it occurred – would probably devastate the business, causing it to fail.
Disaster Recovery Scope
As computers have insinuated themselves into every facet of every type of business, and the importance of alignment of strategy and operations has been realized, the scope of “disaster recovery” has broadened. More complex recovery systems have been devised to address companies’ needs on a more comprehensive basis.
However, we’re still focused primarily on disaster recovery — assuming that only the worst will happen — rather than using a truly comprehensive, risk-based approach to crisis and continuity management. Instead of dwelling on the most unlikely of possibilities, we ought to be more concerned with:
- What threats are more likely to take shape than others?
- Which of those threats, if manifested, will have the greatest impact on the company, which will have the next-greatest impact, and so on?
- How will the company act to prevent those problems or minimize their effect?
I’m not suggesting that your company has to completely give up on the doomsday scenario. However remote the possibility of a cataclysmic event, you want to be prepared.
I am saying that your business continuity plan ought to cover the risks inherent in conducting day-to-day business as well as the remote possibilities… things like the current brittle economic environment, or risks to our business structure and processes (e.g., cloud computing, embezzlement, misuse of company information, swine flu), and also consider shortages of critical supplies (toilet paper), skills (health professionals), and workers (from a lockdown order).
What do you think? Could your crisis and continuity management plan take a more comprehensive, risk-based approach? Are you satisfied with your current plan? Do you even have a plan?
Like anything else worth having, a continuity plan isn’t easy. However, the most elegant, complex plan isn’t necessarily the best one. Start simple, with a framework like the one below, and build on that.
1) Do you have a business continuity plan in place?
- If not…DON’T PANIC! Action driven by panic can often be worse than no action.
- If so, when was it last tested? How thoroughly?
2) Have you conducted risk assessments? What is the risk of a swine flu outbreak crippling your business (vs. other events, like a flood, tornado, or gas leak)?
3) Have you identified and prioritized your vital operations? (Don’t leave out payroll and benefits, whatever you do!)
4) What’s your employee attendance policy? “Come in unless you’re on your deathbed?”
- Do you have a telecommuting policy?
- How robust are your security policy and practices?
- How are your network and server capabilities (especially those you’ve outsourced)?
- How sure are you that your employees are getting the same information at the same time? How about your contractors/outsourcers? Are you keeping them informed?
- Are you able to keep your customers, suppliers, etc., in the loop?
6) Are your suppliers adequately covered? (That is, do they have a continuity plan?) Should you be worried about an interruption of supplies or services? Do you have a fall-back position?
7) Is your staff sufficiently cross-trained that you’ll be able to withstand a loss of 10, 25, or even 50 percent of your staff for weeks at a time?
8) What is the line of succession? Who makes executive decisions if the chief executive is incapacitated for a period of time?
9) When the flu bug has passed, be thankful you weren’t hit much worse. Then get started on a real continuity plan.
Periodically test every piece of the business continuity plan. A desktop or bench test is better than no test at all, but a “live” test of every function, department, and facility in your continuity plan is a must! If it’s been three or more years since any part of your plan was tested under simulated “real-world” conditions, you need to put your continuity plan to the test now!