Planning for business continuity
When things are going well, or when you’ve no obvious problems, it can be easy to forget the risks your business faces every day. These can include fire, flood, theft, equipment failure, network failure, human error, computer viruses or industrial action. Preparing a business continuity plan (BCP) can help to ensure ongoing business operation, and even survival, following a disaster. A BCP serves two main purposes. Firstly, it helps to prevent a disaster or security failure, or reduces its impact to a tolerable level. Secondly, it helps you to resume operations after a disaster. So, if you want to stay in business you should prepare a BCP before a disaster happens. And that means now!
Here is a practical seven-step outline of how you can set about the task.
1. Get management support
You must have the support of senior management for your BCP project to succeed. Even in normal circumstances — but especially in today’s difficult economic climate — it can be difficult to justify a BCP project, which management might view as an unnecessary expense. We are inclined to think that “it couldn’t happen to us” but, sadly, too often it does! Therefore, you need to make management aware of the risks your company faces and the potential damage to the bottom line and to ongoing operational capability. Once senior management support the project, the likelihood of success will increase.
2. Identify key business processes
Identify your key business processes and realistically assess the risks they are exposed to. Put simply, key business processes are those without which you would find it difficult or impossible to run your business. For example, if you depend on the Internet to deal with your customers, say through electronic shopping, then this is a key business process. If you make specialised equipment for a major retailer, then that production process is key.
3. Assess your risks
Having identified the processes, think of the risk of failure and the likely impact it could have on your business. Effective ways to do this include looking at things that happened in the past, scenario development and brainstorming. For example, computer viruses could destroy a computer or a disk could fail. A fire could destroy your restaurant’s kitchens. A health and safety incident could mean your business is closed temporarily, damaging your reputation. Remember that if you fail to meet your customer’s needs, even for one day, you could lose a valuable order, or a competitor could pinch your hard-won business.
4. Prepare business continuity plans
Next, for each process, prepare plans to prevent a disaster or minimise its impact and to recover from failure. Using knowledge gained from your earlier analysis, identify the actions you can take to deal with disasters, failures and security breaches. Specify emergency, crisis management, evacuation and fallback procedures to enable you to respond quickly when an incident occurs. Identify the buildings, facilities, materials and resources you will need and the people required to implement your continuity plan. Although insurance is becoming less of an option for many businesses, be sure to think about it as part of your overall strategy. Other typical continuity strategies include:
- Keeping computer backups off-site;
- Duplicating computer disks and processors;
- Keeping computer virus protection software and firewalls up to date and operational;
- Arranging for alternative buildings and equipment to be available so that you can maintain at least some production;
- Ensuring that adequate fire prevention and suppression equipment is available and working, and
- Agreeing with other organisations to act as backup sites for each other if one of you suffers a disaster.
Evaluate the likely cost of each continuity strategy and compare it to the likely cost and impact of each risk.
5. Document the BCP and train your staff
Write down the BCP and store it in a safe place, including an off-site location. Keep paper and computer-based copies of the plan. Make sure that everyone involved in the plan knows it exists and what they have to do if a disaster strikes. Train staff about the plan’s procedures and clearly specify their roles in responding to an emergency.
Maintain strict version control over the plan to be sure that all staff have the correct copy; this will avoid confusion if you need to execute the plan. Control circulation so that you know who has a copy.
The plan should be clear and detailed enough so that you can resume business operations using it alone, i.e., knowledge that is not in the plan should not be required to recover from a failure. The plan must be a “living document” and must be updated as circumstances change. This would happen, for example, when:
- People join or leave the organisation;
- New processes are introduced or existing processes are changed;
- New computer systems are introduced and old ones retired, or
- Risks change significantly.
6. Ensure continuity of operations
Ensure that your plan also covers continuity of operations. It should include strategies for ensuring availability of your buildings, systems, processes, people and services so that you can withstand a failure or security breach. Things to think about include:
- Using locks and identification cards to control access to buildings and facilities;
- Regularly inspecting and maintaining essential plant and equipment to be sure that they are working properly;
- Keeping critical spares on-site and off-site;
- Having access to an alternative building or facilities, and
- Entering into agreements with third parties for immediate support if certain specified events happen.
7. Test the plan regularly
Finally, test the plan regularly to ensure that it will work properly if a disaster, failure or security breach happens. Specify in the plan the number of times per year that you will test it. Think about hiring independent consultants to work with your testing team to ensure the integrity and objectivity of your tests. Note and report honestly on anything that did not work properly during the test and implement corrective or preventive measures urgently. Change the plan to reflect these new arrangements and tell everyone who should know about the changes. Withdraw all copies of the existing plan from circulation and issue the new one, remembering to replace the off-site copies as well.
When a test has been completed, send a full report on the outcome to senior management.
It could happen to you
Could a disaster hit your business? Should you have a BCP? In both cases the answer, most definitely, is “yes.” Whether you’re a big or a small organisation, it will be too late to realise that you should have had one after a disaster happens. Preparing a BCP is an investment in the continuous operation and future survival of your business. In today’s high-risk environment, it is one investment that should be high on every manager’s list of priorities.