Business downtime is costly. This post provides downtime cost projection guidelines for different businesses. There are other costs besides money. Your reputation is damaged if your company is in the news and you’re unavailable to customers. As Forbes noted in its Colonial Pipeline hack headline, no company wants to teach its industry about security.
Business continuity planning is best for avoiding these costs. That way, if a hurricane or ransomware attack hits, you know what to do and have the tools to keep your business running. With that in mind, let’s look at the specific areas you need to address as you develop your plan—and how you can ensure its effectiveness if needed.
What’s business continuity?
Business continuity planning enables companies to continue operations after a major disruption. Business continuity is a backup plan.
A business continuity plan should include disaster procedures for employees. Plans should include the following:
- Business processes
- Equipment/stock disposition
- Who’s accountable?
- Emergency contacts
- Power backup
Extreme weather disruptions often require business continuity plans. They also help with daily issues like late payments, sick employees, and unreliable suppliers.
Can you quickly restore HR, manufacturing, sales, and support to make money after a disaster? Do you know how your customer service reps will handle calls if a tornado flattens their building? Will they work remotely? BC addresses these issues.
Business continuity plans include business impact analyses. Business impact analyses quantify the cost of sudden business function loss. This analysis also helps you decide whether to outsource non-core business continuity plan activities, which can be risky. The business impact analysis helps you prioritize your company’s processes.
Why is BCP (Business Continuity Plan) important?
You compete as a small or large business. Right after an adverse event is the best time to test your ability to retain and grow your customer base.
Many disaster recovery solutions exist because most companies need IT restored. IT will implement them. Your other business functions? People and processes shape your company’s future. Handling incidents well can boost your company’s reputation, market value, and customer confidence.
Lorraine O’Donnell, Experian’s global head of business continuity, says consumer and regulatory security expectations are rising. “Organizations must understand business processes and the impact of losing them over time. Financial, legal, reputational, and regulatory losses can occur. An organization’s “license to operate” being revoked or subject to conditions can hurt market value and consumer confidence. Plan your recovery around these processes’ allowable downtime.”
How To Create a Business Continuity Plan?
Start by assessing your business processes, identifying vulnerable areas, and estimating losses if they go down for a day, some days, or a week.
Business impact analysis
Plan next. Six general steps:
1. Plan’s scope
2. Key business areas
3. Key functions
4. Determine business function dependencies
5. Define critical function downtime
6. Plan operations
A checklist for business continuity planning includes the following:
- supplies and equipment
- backups of data and backup sites
- who should have the plan, and who should have access to it
- contact information for emergency responders
- key personnel
- and backup site providers
If you don’t have one, create a disaster recovery plan as part of your business continuity plan. O’Donnell advises against assuming your disaster recovery plan covers all needs. Restoration time must be defined and “align with business expectations.”
As you plan, interview key personnel from organizations that have survived disasters. War stories and the tactics that saved the day are popular. Their advice could help you create a solid plan.
What is the importance of putting your business continuity plan to the test?
O’Donnell claims that only testing a plan can prove its efficacy. “A real incident is the best way to test something. However, controlled testing is more comfortable and allows for gap identification and improvement.”
A plan must be rigorously tested to determine its completeness and effectiveness. O’Donnell suggests breaking it. Make it credible but difficult. Only this improves. Make goals measurable and challenging.
So many companies test their business continuity plan twice to four times yearly. The schedule depends on your organization, key personnel turnover, and business process and IT changes since the last round of testing.
Tabletop tests, structured walk-throughs, and simulations are common. Recovery coordinators and functional unit members make up test teams.
The team reviews the plan in a conference room, looking for gaps and ensuring all business units are represented.
Each team member examines their plan components in a structured walk-through to find weaknesses. The team usually simulates a disaster. Structured walk-throughs may include drills and disaster role-playing. Correct weaknesses and update the plan for relevant staff.
An annual emergency evacuation drill is also recommended. This test lets you know if you need to evacuate disabled employees.
Finally, annual disaster simulation testing is complex. For this test, simulate a disaster with all the necessary equipment, supplies, and people (including business partners and vendors). Simulations test your ability to perform critical business functions during the event.
Add new testers to each business continuity plan test phase. “Fresh eyes” may spot information gaps that veterans may miss.
Review and update your business continuity plan.
Business continuity plans take time to create and test. After that, some companies let the plan sit while focusing on more important tasks. This makes plans obsolete.
Technology and people change, so the plan must too. Annually review the plan with key personnel and discuss any changes.
Get staff input before the review. Review the plan with all departments and remote units. Include lessons learned if you had to implement the plan after a disaster. Many companies review after a tabletop exercise or structured walk-through.
How to get support and knowledge for a business continuity plan?
Taking your plan lightly can doom it. Every business continuity plan needs top-down support. Senior management must create and update the plan; subordinates cannot. Senior management should prioritize review and testing to keep the plan fresh and viable.
Management promotes user awareness. How will employees react when every minute counts if they don’t know the plan? Business unit managers or HR staff can distribute and train plans, but a top executive should start and emphasize training. It will affect more employees, lending credibility and urgency to the plan.