Business Continuity Planning in a Nutshell©
By: Rebecca Folk, MBA, Marketing and Sales Support Manager & Robert Bolden, MBA, CBCP, Senior Business Continuity Planning Consultant, Paradigm Solutions International, Inc.
Now, more than ever, we must be prepared and perform Business Continuity Planning to ensure our organizations ability to continue operations. In the aftermath of hurricane Sandy, the Aurora and Newtown shootings, along with the prospect of power failures, floods, fires, natural disasters, terrorist acts, supply chain interruptions, or a pandemic flu outbreak, businesses and other organizations are re-evaluating the preparedness of their entities to respond to disruptions that they face. It is now understood that the threats and exposures are many. Being prepared will increase your ability to continue functioning when a disruption occurs.
What Is Business Continuity Planning?
A Comprehensive Business Continuity Plan is a plan to assist and ensure that an organization can continue to operate when a disruption to normal business occurs. Planning helps protect company assets, minimize loss, and mitigate the impact of a business disruption on your employees, vendors and customers. The disruptions can be any unexpected event such as a, power outage, water main break, fire, earthquake, cyber attack, robbery, explosion, etc. that disrupts normal business operation and threatens staff safety. Therefore, it is critical to have a set of processes in place to follow should a disruption occur. Ask yourself this question, “Are we prepared to respond to a disruption?”
The “Must Haves” of Business Continuity Planning
Established Business Continuity Programs are comprised of key elements and processes focused on ensuring that planning efforts provide for the safety of personnel, protection of critical corporate assets and minimize loss. Once developed, the plans/program must become a part of the organizations overall approach to mitigating risks and providing for the welfare of the stakeholders of the organization.
The key elements that comprise the Business Continuity Planning initiative include:
1. Business Continuity Planning Requires Management Support
Establishment of an effective program begins with executive management support and sponsorship. Absent this support, the program will likely not attain the level of priority needed to sustain recovery processes and ensure that the program remains viable.
2. Implementation of an effective Business Continuity Planning Software tool
An effective Business Continuity planning software solution will enable an organization to facilitate and demonstrate the ability to define, manage, communicate, train, exercise, maintain and perform ongoing plan improvements more readily and effectively.
3. The Conduct of a Business Impact Analysis (BIA) is Vital to Program Development Efforts
The conduct of a BIA is needed to quantify and qualify impacts resulting from a loss of critical functions. The goal is to identify time-critical functions, establish recovery priorities, and uncover interdependencies in order to set recovery time objectives and recovery point objectives.
4. A Risk Assessment is Required in Order to Evaluate the Current Risk/Threat Environment
Businesses should conduct a Risk Assessment to evaluate threats arising from internal and external sources. Once conducted, the assessment will provide an analysis of all mitigating controls in place and identify areas where controls should be increased or decreased.
5. A Formal Planning Strategy Should Precede the Actual Plan Development Phase
Based upon the results of the BIA and Risk Assessment, a plan strategy should be developed that considers Recovery Point Objectives, Recovery Time Objectives and mitigating controls. The development of a strategy serves to streamline the development process and leads to a more meaningful planning effort and implementation.
6. A Crisis Management Plan is Needed to Mobilize, Stabilize and Control Recovery Efforts
A Crisis Management Plan serves as an overarching control element that should be implemented from crisis onset through the recovery and transition to normalized operations. The plan should include notification and deployment procedures and provide for oversight of the recovery from a high level. The plan should also detail management’s expectations for communications with internal and external contacts from the onset of the crisis through each stage of recovery.
7. Business Unit Business Continuity Plan Development Should be an Integrated Process
Plans should be developed at the Business Unit level under the direction of a Global Plan Administrator. The goal is to ensure that plans are not developed in a “vacuum” which could lead to a disconnected recovery in an actual emergency. Plan development should be based upon criteria obtained from the BIA and Risk Assessment as set forth in the Business Continuity Strategy.
8. Plans Will Not be Effective Without Continual Training of Recovery Team Members
Plans are only as good as the people implementing them. A comprehensive training program must be incorporated as a key component in the global program development effort in order to ensure that key staff members maintain top-of-mind working knowledge of critical plan components.
9. Business Continuity Plans Require Regular Maintenance and Testing to Ensure Effectiveness
No organization operates in a static environment. People, processes and organizations change on a continual basis, often requiring changes to current plans. Plans should be updated at least annually, or whenever change dictates. Plans need to be tested periodically to ensure that they remain viable for the current environment. Short of experiencing an actual crisis, this is where you determine if your BCP works.
10. Business Continuity Plans Should not be Responses to Compliance Requirements
Compliance is very important. But by simply creating a plan from a generic Business Continuity Planning Template and saving it on a shelf, just in order to “check the box” for having a plan, shortchanges not only your BCP response but your organization as well.
11. Business Continuity Planning is Never “Done”
Business Continuity Planning is a “process”, not a project. The Business Continuity Planning continuum consisting of BIA, Risk Assessment, Plan Development, Testing and Maintenance is an on-going process that should be viewed as constantly evolving.
To protect your business, you can do many things to lower the risks, but you will never be able to eliminate the risks completely due to changing technology, changing business needs, and changing threats. For this reason, business leaders must adopt an on-going program of preparedness. The mindset that “it couldn’t happen to us”, must be replaced with “we are prepared”.
Copyright © 2013, Paradigm Solutions International, Inc.