A local government building in our region recently experienced a disaster. It was relatively small compared to hurricanes and wildfires that happen in other parts of the country, but it disrupted operations. A small fire was contained to the top floor, but between the smoke and water damage, the staff had to move to different buildings for a few weeks.
Disaster can strike anyone, anywhere, anytime and comes in a variety of forms. Whether you worked hard to build your business or you are a hard-working employee, everyone should have a Business Continuity Plan. The National Institute of Standards an Technology (NIST) defines a Business Continuity Plan as “The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”
A cyberattack or data theft are possible risks that you can address with a Business Continuity Plan. When disaster strikes, it will be stressful. “You need guidance to walk you through the process,” said James Pompilio, Garnet River’s VP of Security & Infrastructure. “A plan keeps you calm.”
Start with Risk Analysis
Your Business Continuity Plan, or BCP, could be longer than “War and Peace” if you outlined, in detail, every possible scenario. Your risk analysis starts with a list of possible risks and the likelihood those risks will come to fruition.
For example, snow and ice storms in the Northeast could disrupt business operations. There is a good chance every winter that a major storm will hit. The risk probability is high. The magnitude, however, is usually rather low with perhaps a few people having to work from home for the day. However, if a business has to close operations for a day or two, that would represent a higher magnitude. If the risk possibility is high, the Business Continuity Plan should include the company’s policy and the procedures to follow, with options based on severity levels.
Tornadoes, on the other hand, are not common in the Northeast, and thus you would not have to be include them in a BCP. But they would be for businesses in the South and Tornado Alley.
Common risks to consider:
- Hazardous material spill
- Workplace violence
- Pandemic disease
- Utility outages
- Natural hazards
After you have created your list, conduct interviews with key members of the organization to confirm and collect information and to fill in gaps.
Consider Assets and Impacts
Now that you have your list of risks with high probability, you should check who and what could be impacted. These are known as your assets.
Questions to ask as part of asset analysis include:
- What services are the most critical? (financial, communication, data warehouses, etc.)
- Who will be impacted?
- Are customers or employees at risk?
- Is property at risk?
- Are systems at risk?
- Is your reputation at risk?
- Is the environment at risk?
- Will we be unable to fulfill regulatory or contractual obligations?
These questions quickly lead to an impact analysis.
- How long can we live without service ABC?
- How do we recover?
- Will there be casualties? How do we deal with them?
- Property damage?
- Business operations interrupted?
- Loss of money? Loss of customers?
- Loss of confidence? Loss of reputation?
- Fines? Lawsuits?
When answering these questions, consider two important terms — Recovery Time Objective and Recovery Point Objective. According to NIST, Recovery Time Objective, or RTO, is the overall length of time an information system’s components can be in recovery phase before negatively impacting the organization’s mission or business processes. Recovery Point Objective, or RPO, is the time to which data must be recovered after an outage.
The best way to get commitment from everyone is to seek comments from each department. The more you involve various departments, the more you will be able to plan for a complete picture and the more investment everyone else has.
Outline Your Recovery Strategies
Business continuity is not a one-person job. Everyone in the organization should be involved and informed.
- Assign responsibilities for recovery
- Account for all employees and essential equipment
- Develop plans for relocation if office or business is not usable
- Plan for IT recovery procedures
- Contact authorities as needed, including your insurance company
- Document and learn from past experiences
Similar to being ready for daily weather changes (coat, sunglasses, umbrella, boots, etc.), you need multiple options to prepare. Document manual workarounds while digital assets are not available.
- Maintain digital and analog emergency contact information, both internal (CEO, CIO, communications, etc.) and external (police, lawyer, utility companies, etc.)
- Back up important data off-site
- Prepare to switch to back up equipment or move it to a new location
Communication Is Vital
Communication with your employees and customers is critical during the disruption and your recovery. Document your communications strategy in the Business Continuity Plan so everyone knows what to expect.
- Who has the full list of employee contact information?
- How will you contact them if you can’t use email and your phone system is down?
- Where should employees go if they have to evacuate a building or city?
- Who is responsible for speaking to customers? To the media?
Test, Train and Practice
- Develop testing, exercise and maintenance requirements
- Conduct training for business continuity team
- Conduct orientation exercises
- Conduct testing and document test results
- Update BCP to incorporate lessons learned from testing and exercises
BCP Help is Here
Garnet River offers Business Continuity Planning as part of its policy management solution. Garnet River professionals have written thousands of policy management documents and have the ability and experience to help you create your Business Continuity Plan.