We do everything we can to assess and mitigate risk in business and organizations in order to protect our assets, data and resources from loss, yet some inherent risk remains. Natural disasters, fires, floods and the occasional breakdown of systems through error or infrastructure failures occur regardless of the internal controls we implement as part of our risk management.
You don’t have to look any further than the recent February 2021 water and power outages in Texas. Each business regardless of industry should have a plan that addresses the actions to take in the event of a disaster or service disruptions. The military calls these contingency operations and you may hear them referred to as contingency management in business. To prepare your business for the potential situation, every business should have a business continuity plan (BCP).
What is a BCP?
While there are some similarities to a disaster recovery plan that focuses on restoring IT infrastructure and operations after a crisis, a continuity plan covers a broader scope. The business continuity plan (BCP) outlines how a business operates during a service disruption for every aspect of the business that might be affected including:
- Business processes: Identify potential threats and vulnerabilities in business functions and processes and potential for losses. What are the operations and financial impacts? What are the time sensitive priorities? What production or service processes could be impacted?
- Human resources: How will personnel be managed during the emergency, how will they work, from what location will they work? Who is part of the business continuity team? Will personnel work from home?
- Business partners: What relationships and partners might be affected by the situation?
A typical business continuity plan includes a checklist for:
- Data backups, Information Technology
- Data Site/ Data Center Locations
- Checklists with supplies and equipment
- Emergency Contact Information
Develop the Plan
6 Step Plan
- Identify the scope of the plan. Conduct a business impact analysis.
- Identify key business areas.
- Identify critical business functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function. Identify if there are manual workarounds.
- Create a plan to maintain operations and include recovery time objectives.
As part of the planning processing in developing the plan and determining courses of action, identify and invite people in your organization that have been through a service disruption or crisis scenario to share experiences and offer insight. These experiences can be extremely helpful in determining the comprehensive plan and identifying any weaknesses or unique circumstances that affect your business.
War Game your Plan
Once the plan is developed, it’s important to test it to make sure it works. There are multiple ways to “war game” a plan. The goal of the war game is to play out the potential scenarios and use courses of action that were developed to see if they work or if the plan needs revision.
- Table Top Method: This typically refers to key players going over the plan as an exercise “on paper” and collaborating and discussing the actions developed in the plan.
- Walk-through Exercises or Drills: A walk-through, is literally a physical test of the plan. It implies that a specific scenario is played out and participants physically go through the process of how they should react to identify any weaknesses in the plan
- Simulation: A simulation takes a drill one step further by creating a realistic scenario to test the continuity plan. The simulation should include business partners affected by the scenario.
Review and Revise the Plan
The final and crucial step is to take ownership of the plan. Supervisors should take the plan seriously and review it with subordinates on a routine basis, at least annually. The routine review should include suggesting and making revisions for parts of the plan that are dated or no longer relevant.