Because the Worst Can Happen: 5 Steps to Develop an Effective Business Continuity Plan
For many companies, the pandemic is a stark reminder that that worst can happen. While few businesses were fully isolated from the fallout, some outcomes have been more dire than others. CMS Wire reports that 11.5 million U.S. jobs were lost as a result of the pandemic, and that 7,500 retail stores are expected to close this year amidst the “business apocalypse”. These startling figures point to the critical need for an effective business continuity plan to help your company withstand and move past potential disruptions. Here, we share five key steps you can take to strengthen your company's resilience with an effective business continuity plan.
What is business continuity?
Business continuity refers to maintaining business functions (or quickly resuming them) in the event of a major disruption, whether it's a natural disaster, a man-made scenario, a cyberattack, or, as we all well know, a pandemic. It follows that a business continuity plan is a roadmap to outline the procedures and instructions your company should follow in the event of disruption. The goal of a business continuity plan – or a BC plan – is to ensure that your people and processes are protected and that you are able to function (or resume as quickly as possible) in the event a disaster strikes.
Your BC plan will be unique to your business. While there is no one-size-fits-all plan, there are some shared best practices, including:
Business continuity planning is not a one-time, check-the-box effort. Your BC plan is a “living document” that underpins an ongoing, continuous effort to protect your business.
Embed flexibility and adaptability in your process and your plan – just as disasters are unpredictable, your plan should be robust yet variable so that it can be applied in a number of scenarios.
The BC plan should include a focus on people with strategies to keep both your internal customers (your team) and your external customers (current or prospective clients and other stakeholders) safe yet connected during and following a disruption.
Professional services firm Moss Adams suggests that an effective BC plan should focus on your core functions, the dependencies that support these functions, and the strategies that will help you reduce the impact and fall-out from a future disaster. Essentially, the continuity planning process should help you and your team clearly answer one fundamental question: “How will we continue to operate?”
How to Develop a Business Continuity Plan in Five Steps
And now to the important stuff – developing your own business continuity plan. Remember, business continuity planning should be an iterative process that engages all business units across your organization.
1) Understand your Risks
Let’s start with a question: What are the potential threats your business faces? What risks could disrupt your operations? The first step of developing an effective business continuity plan is to assess the level of risk and the vulnerability of your business. As you identify the scope of your plan, think about and address the most likely threats to your IT environment and key business areas, such as natural disasters, power outages, pandemic, cybercrime, and human error (internal threats). As you catalog these risks, consider what steps can be taken now to prevent or limit outages in these scenarios. What threats will put your data and information in jeopardy? Which threats pose the greatest impact on your business?
To help identify and prioritize your essential functions, Moss Adams shares a few guiding questions, including:
What are the primary services and functions that support your mission, vision, and goals? What resources, systems, vendors, equipment, team members, and other processes do you rely on to carry out those processes?
What are the potential impacts on other processes if any of these functions are disrupted?
How will your key stakeholders be most impacted by a disruption to your operations?
What are your legal compliance obligations, and how must they be incorporated into your contingency planning?
A proven way to fully understand your risk is to partner with a trusted technology partner (like N8 Solutions) to conduct a robust assessment of your essential functions. A third-party-supported approach can also help your team uncover security vulnerabilities, assess backups, and identify other network issues that could result in costly downtime.
2) How will this impact my business?
Once you’ve identified your essential functions and potential risk scenarios, determine which will have the most severe impact on your business. For example, how would data loss impact a law firm's credibility and reputation? How would legal teams conduct transactions in the absence of internal systems? How would a trucking company increasingly dependent on computers and technology continue to schedule routes following a ransomware attack?
As you think about impacts on revenue, operations, and reputation, consider all aspects including physical or property damage (e.g., flood or fire), remote work scenarios (e.g., network access and VPN), operational (e.g., payroll), and people (e.g., safety and continued productivity). A business impact analysis is a helpful tool to engage all business units via a survey or workshop to identify critical functions and the resources that support them. You may need to conduct follow-up interviews to validate your findings and cover all business areas. A robust impact analysis may also help identify the optimal recovery time (e.g., one hour or one day) for your mission-critical activities and systems.
3) Develop your Plan
Once you've prioritized your critical functions, risks, and impact, create a plan to prevent or reduce these disruptions – this will form the basis of your business continuity plan. Building the right business continuity team is a critical step here. Involve your executive or leadership team not only to produce a strategic and well-thought-out BC plan but also to ensure buy-in and reduce uncertainty or unease if or when the plan has to be put into effect.
One risk that many companies overlooked in their pre-pandemic BC planning was the need for remote working. This is a logical place to start, as continued workplace disruptions for health and safety reasons remains a concern around the world. Identify ways that you can address this risk. For example, cloud-based systems and secure remote working solutions can ease the transition to remote work for many companies. (However, while automation and cloud-based solutions are likely components of your plan, don’t neglect to identify any manual workarounds that may help you continue to conduct business while other systems are being restored.)
Another example is data recovery and backup. Do you have the correct systems in place to quickly recover data in the event of an outage? What assets, staff, and partners do you need in place to proactively address these potential scenarios?
4) Implement the Plan
Once you've developed your plan, it’s time to implement it. If you haven’t already, organize a business continuity or recovery team and obtain in advance any needed approvals; implementation will also include writing your BC and disaster recovery procedures into existing organizational documentation. Identify the resources you may need in the event of disruption, such as additional office space, hardware and software, access to critical data, and inventory. In some cases, you may need to establish relationships with vendors or third parties to carry out your business continuity plan. Establish these partnerships and contacts now, before a disaster strikes.
This is also where your efforts to involve leadership will be critical to communicate the plan and expected changes. Inform all stakeholders before implementing any necessary changes to your technology stack or infrastructure. What channels will you use to communicate the changes – both now and in the event of a disaster? Do all employees share equal access to this information, and to the BC team, should they have questions about their own role and responsibility in the business continuity process?
5) Review, Review, Review
The last step is to establish a regular review and testing cadence for the business continuity plan. As mentioned above, this should be a flexible and adaptable “living document” that you review and optimize as your business – and the environment in which you operate – continues to transform. Test your plan in a non-emergency scenario to identify gaps and improve the plan.
The Ready website, a resource from the U.S. government, suggests that teams develop testing, exercise, and maintenance requirements for a business continuity plan, including training and orientation exercises for all relevant members of your BC team. The results of these exercises should be incorporated into future iterations of your plan.
As you embark on this important step for your business, keep in mind the stakes. Every day that it takes to bring your business back online following a disaster presents a chance to lose customers, damage your reputation, and cost you money. While insurance can cover some of your losses, it cannot prevent your customers from seeking products or services from your competitors. An investment in business continuity is an important safeguard in 2020 and beyond.
With business continuity planning, you may benefit from expert guidance, such as our team at N8 Solutions. Our backup and recovery solutions help ensure your critical information is secure, backed-up, and accessible – even during a network failure or disaster – so you’ll never have to worry about data loss again. Now is the time to build an effective business continuity plan alongside a robust backup and recovery strategy.
While we can’t predict when or how disaster strikes, we can take steps to prepare for it. And we can help you get there. Please get in touch with us today.