A Business Continuity Plan (BCP) is a document which contains vital information required by a business during dangerous and unplanned events such as floods and server breakdowns.
A well-written BCP should take into account all internal and external business threats and give instructions on how to sustain the essential business operations until a concrete recovery takes place.
Your Business Continuity Plan should reveal the essential business operations, their priority levels, and how to maintain or sustain them in times of crisis.
Cyber attacks, natural disasters, human errors and technical errors cannot be foreseen or controlled. A BCP forces you to plan ahead and write down the necessary steps that should be taken to prevent business outage and thereby keeping losses to a minimum.
A business outage can result in the loss of revenue, customers and reputation. Insurance will not cover all the costs and won’t replace the customers who turned towards your competition.
A Business Continuity Plan can keep the employees focused on the tasks at hand during a crisis without panicking. Just make sure the instructions written in the document are easy to understand and follow.
The IT Department of your business should be responsible for creating and regularly updating the BCP. Getting the executive staff involved in this process might be good idea since they can add more insight to the plan.
Technology in a business environment comes in various forms such as computers, laptops, tabs, enterprise software and etc. They are used to increase the productivity of business operations.
Therefore recovery strategies should be in place to restore technology in time to meet the needs of your business. Until technology is restored, employees will have to depend on manual workarounds to sustain the important business functions.
These things should be clearly explained in the BCP.
This is the phase where you collect all the necessary information by conducting both Business Impact Analysis (BIA) and Risk Assessment (RA).
BIA can pinpoint vital business functions that must be sustained and the resources required for that. RA can identify what the internal and external threats to your business are, the likelihood of them happening and the damage they can cause to your business.
Functions that can negatively impact your business the most should become priorities for restoration and restored before the Recovery Time Objective (RTO).
RTO is the point in time where a certain function or process should be recovered before unacceptable consequences occur.
Recovery strategies are used to bring vital business functions to a sustainable level following a business disruption. Business functions should be prioritized by RTO as mentioned above.
Before writing down recovery strategies in your BCP you should identify the resources required to execute them and see whether a resource gap is available or not.
For example, if one of the production machinery malfunctions but if others still work, there will be no resource gap because production can still be sustained even at a slower pace.
But if all production machinery gets damaged and if there are no more stocks available, production should be reinstated at another facility as soon as possible to meet the demands of your customers.
It’s important that you gather the executive staff of your business when deciding on the recovery strategies because they have more experience and knowledge about the company.
If you find a better alternative for a recovery strategy, submit it to the management for approval and decide on how much the business is willing to spend.
Some strategies may involve contracting with third parties, entering into partnerships with your competitors and discontinuing resource-demanding functions which are not very beneficial for your business.
In the event of a natural disaster, you might want to re-locate all operations to another facility that you own, assuming that the new facility is not impacted by the same event at the same time, and has the required resources and space to resume the operations of the impacted site.
The Telecommuting strategy aims to reduce alternate site requirements by having staff work from home via remote connectivity. Telecommuters need to have a suitable home-work environment with a computer which has all the required applications installed along with a good stable internet connection.
This strategy might not be as effective as relocating to an alternate site but it’s quicker and requires little to no money to execute.
Establish partnerships and other agreements with the businesses and organizations in your industry to help each other out in times of need.
Aspects such as resource availability, information technology, privacy, protection of intellectual property and how each other’s operations will be impacted should be addressed prior to forming partnerships.
The agreements should be clearly written down and documented in the BCP and you should regularly check-in with the businesses that you formed partnerships with to see if there is any change in their ability to support you.
There are many third party organizations which support business and IT recovery strategies. Some let you rent complete business environments including office space, production facility and live data centers with all the necessary equipment and services.
Another option is to rent an office trailer with all the equipment you need.
The costs for these options depend entirely on how large of a space you need, where the space is located, and what equipment and services you are looking for.
Manual workarounds is another recovery strategy that should be followed by every business. These days inventory tracking, payment processing and order routing are all computerized. So what if there is a sudden technical or electrical breakdown?
What should your staff do now?
If manual workarounds such as paper order forms are in place, the staff can still process direct and phone orders until the electronic system is restored. That way you can keep the revenue loss to a minimum.
Recovering a critical function or process requires resources. A resource requirements worksheet should be completed by the executive staff to determine the resource requirements for chosen recovery strategies.
These resources can come from within the business or from third parties. Resources include:
After identifying the resources required for the chosen recovery strategies, they need to be prioritized according to the point in time you are going to need them.
The next step is to write clear step-by-step instructions that your employees can follow to minimize losses from the threats identified in the RA.
A Business Continuity Plan should not be overwhelming or difficult to use. Checklists and flowcharts will really make the instructions more easy to understand and follow.
It doesn’t matter how many pages your BCP has if it can’t prepare your business to face unplanned events with a clear and focused mind.
I recommend having a one-page BCP with all the necessary information rather than a very in-depth BCP for small businesses and startups.
A basic BCP should include the minimum staff required, emergency contact information, high priority functions, recovery strategies, the costs associated with them and etc.
Review the BCP regularly to make sure that everything written is accurate and up-to-date. It’s a good idea to inform the executive staff and IT division before making any changes to it.
Hold awareness programs and testing activities for the general staff to better familiarize themselves with the BCP and its latest changes. You can also conduct internal and external BCP audits to measure the effectiveness of your BCP and identify areas of improvement.
The person in charge of creating your BCP must be well-versed in technology, security, risk management, and strategic planning. This includes being familiar with new emerging technologies such as cloud and virtualization, and new threats such as ransomware.
Typically that would be the IT administrator but in small businesses the owner themselves do it.