In this article, we take a look at what a Business Continuity Plan is, what it should contain, and why it’s such an important document.
Accepting that the unexpected and disasters will happen (and that you can plan how to maintain business continuity while you deal with them) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of such a situation involves planning, an important part of which is the business continuity plan (BCP).
What Kind Of Events?
The kind of events that create the need to have a BCP in place and ready to go include:
– Hardware failures/server failures.
– Outages and/or file corruption.
– The effects of cyber-attacks. For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard) and the effects could include damage to / locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers).
– Important 3rd supplier failure or the loss of key employees.
– Failures of part / a component of a network.
– Environmental/natural disasters (e.g. fire and flood).
– Theft or loss of equipment holding company data.
– Financial and cashflow issues.
The Business Continuity Plan
The goal of a BCP is to ensure that resources are available to ensure continuous operation and disaster recovery following an emergency. A BCP, therefore, is the plan/document that contains all the details of just how a business will continue operating during any kind of unplanned disruption in service.
Not The Same As A Disaster Recovery Plan
A disaster recovery plan (DRP) is part of the BCP. The DRP is the part that focuses mainly on the restoration of IT infrastructure and operations following a crisis rather than focusing on the entire organisation which is the job of the BCP.
How To Make A BCP
There are several stages to making a workable BCP. These are:
Create the team to develop the plan.
This stage will ensure that the plan actually gets made and updated and is able to take into account the main issues. This involves getting support from top management, assigning a person to manage the process, and putting together a team consisting of key people from each business department who can feed into the plan. The team should also decide upon the scope of the plan.
Start documenting the details of the BCP from the outset.
Everything decided in the making of the plan should be documented. This is something that should be set up at the beginning so that each new element can be added and checked and so that at least something is available if anything happens during the planning process. The plan should be securely stored off-site (e.g., in the Cloud) and each relevant person given access.
Conduct a full risk assessment.
This involves generating a list of all the known possible man-made, natural, and environmental risks and threats that could disrupt the continuity of the business and prioritising this list in terms of how serious the impact could be. This prioritisation of risk and threats will indicate which areas of the BCP should be tackled first. The kinds of risks and potential threats that could be taken into account include:
– Natural and environmental risks related to geographic location weather patterns. These could include floods, storms (esp. lightning), earthquakes, landslides and more.
– Technology-related issues, such as human error and the effects of cyber-attack, loss of telecommunications, vital equipment/hardware failures, data outages and corrupted data, power failures, loss of Local Network Services, and prolonged technology outages.
– Market and financial-related risks and threats. These could include trends and movements in the market, cashflow issues, and stakeholder issues.
– Facility-related issues and internal hazards e.g., fire, electrical failures, water leaks, HVAC failure, chemical spills/leaks, strikes and more.
Create recovery plans for each function.
With the risks and threats identified and prioritised, the next stage is to:
– Generate a list of the critical functions of the business/organisation.
– Look closely at how each risk could affect each critical function of the business/organisation.
– Create individual recovery/continuity plans for each situation where you have identified how a risk could adversely affect that function. These mini-plans could include details such as creating data backups or maintaining a secondary location.
Define who does what.
Where each of the smaller plans has been created to tackle risks and threats to critical functions, the next stage is to assign responsibility to staff members who will be needed to undertake and co-ordinate the plans and to detail protocols they need to follow. This should mean that key staff know what to do and have a plan to refer to in the event of incidents and emergencies.
Test and update the plan.
The plan should be viewed as a living document and not a one-off exercise. Your BCP should be regularly reviewed and updated, e.g. if there are changes/additions to the risks and threats, or changes to key staff members. Also, the plan and its key elements should be tested to ensure relevance and effectiveness.
What Does This Mean For Your Business?
The survival of a business depends upon not just accepting that bad things do happen, but on making the effort to prepare for at least what can be reasonably foreseen. Downtime and disruption can very quickly have a serious and costly effect on a business in terms of lost revenue, lost customers, reputational damage and more. Businesses also have a responsibility to stakeholders to ensure that risks and threats are identified and planned for where possible. Creating and maintaining a BCP, therefore, should be given a high priority as it can protect the life of the business itself.