Scroll Top

How to Create a Business Continuity Plan

Business Continuity Plan

Hurricane season is a natural reminder of Business Continuity planning – or lack thereof. Whether your business has a valid and tested Business Continuity plan determines, more than any single thing, the likelihood, speed, and cost of returning to normal function following a disaster, or seriously disruptive event.

The key points about BC planning can be easily presented in a prioritized format by the “5 W’s and 1 H”, format: Who, What, Where, When, Why and How. By scrambling the “W’s” we can create a truly prioritized list. Business Continuity is related to Disaster Recovery, as whole to part. They are sometimes confused.

What is a Business Continuity (BC) Plan?

I recently traveled to India, where electricity is spotty, and easily disrupted by storms. Whenever this happened, whether I was in a large city or small village, when the lights went out the sound of generators immediately followed. The generator illustrates the difference between Business Continuity (BC) and Disaster Recovery (DR).  Seeing the need for and purchasing a generator and fuel for it, falls under the heading of BC planning; whereas the generator turning on and restoring power and light, is part of DC (Disaster Recovery).

More formally stated, Disaster recovery is the manner in which resources are restored following a damaging event or crash. For businesses, the key resources are often data, files, servers, and applications; for individuals, and municipalities, these resources are electricity, food, shelter, plumbing, law enforcement, phone service, cell services, radio and TV services. Disaster recovery efforts are still in full swing in Houston and surrounding areas, South Florida, Puerto Rico, the Virgin Islands, and other areas hit by hurricanes Harvey and Irma, and now, Maria.

By contrast, Business Continuity is the way a business sustains operations when it loses access to vital resources.  Business Continuity (hereafter BC) planning looks ahead to provide for these resources in some manner, in advance of the loss occurring. To state it simply BC focuses primarily on what happens before the event (planning and testing); DR focuses on what happens after the event, the actual recovery or resources.

As businesses rely increasingly on computers, DR efforts focus increasingly on restoring data and computer resources and networks. Thus DR is a part of BC.


Learn More:

Why You Need a Business Continuity Strategy

When you own a business, you naturally hope everything runs smoothly and there are no major disruptions. Unfortunately, this isn’t something you can count on. There are many issues, from natural disasters to cyber attacks that can cause serious disruptions to your business. If you’re not prepared for such events they can be extremely harmful or even fatal to your business. That’s why it’s so important to have a business continuity plan. This is a strategy that prepares you for the worst so if something does happen you’re not caught off guard. Let’s look at why it’s crucial to have a business continuity strategy and some pointers for implementing one.

One downside to technological innovation is that even the most advanced and sophisticated systems can fail. This can happen for a number of reasons.

Natural disasters

Hurricanes, fires, floods, earthquakes, ice storms and severe thunderstorms are some of the natural events that can cause power outages, system failures, and damage that causes downtime for your business. Nature has been quite unpredictable lately and it’s wise to prepare for severe weather and calamities.

Cyber attacks

Hackers and identity thieves target businesses of all types and sizes. No matter what defensive measures you take, there’s no guarantee that a determined intruder won’t get in and wreak havoc on your data. However, you can prepare for cyber attacks before they happen.

System malfunctions

Server MalfunctionSometimes technology fails of its own accord without any help from nature or hackers. If you lose valuable company or customer data, do you have backup data and a plan for recovery?
Employee errors. Even if you have dedicated and well-trained employees, mistakes happen. Sometimes errors can have serious consequences. Some mistakes cause data loss and malfunctions outright. Others leave your business vulnerable to cyber attacks. According to the IT Compliance Policy Group, human error causes 75% of all data loss.

The consequences of disasters, system failures, and cyber attacks depend on what type of business you have and the severity of the incident. If you have a brick and mortar business, you need to face the possibility that your doors may be closed for a period. If all of your business is online, every minute you’re offline means lost revenue. A business continuity strategy ensures that you’re prepared for such eventualities and can recover from them more quickly.

Who should develop and manage the plan?

Simple, but not as simple as you might think. Who develops the plan? Often it is left up to the IT folks. That is a mistake. The head of Operations is the right person because BC goes well beyond IT.  IT is a specialized area of BC and DR. IT becomes more important to business operations every year, but will never be identical to it. The broader issues include emergency decision-making, employee safety, legal concerns, messaging and communications with a response team, employees, customers and vendors. IT may have a role in each of these things but is not responsible for most of them. Ideally, there is a BC team, composed of Operations and IT managers, with high-level management oversight.

Where should the BC plan and the BC response manager be located?

If the BC response manager is located in the area affected by the incident that caused business disruption, they may not be able to respond. For example, on 9/11 in New York City, many cell phones, and even POTS line services were unavailable for some time. This could certainly happen again in a variety of circumstances. Among the many important things the BC response manager has to do is contact key resources, declare that an incident has occurred and the response has begun. Assuming communication is possible, it may simply notify employees to stay home. It may simply notify vendors that an incident has occurred and it will require failing over to backup servers or online applications.

For this reason, there should optimally be a BC response manager outside your geographic region, if possible. Or, Murphy’s law may dictate that when disaster strikes, only the BC response manager’s phone or internet service has been disrupted. For this reason, it is important to have a fallback BC response manager, even if they are not outside the geographic area.

Likewise, the BC response plan should be stored on cloud hosts outside the geographic region of the office(s) covered by the plan.


Learn More:

When should you develop and test your Business Continuity plan?

Because both climate and politics are inherently unstable, the answer is simple: Immediately!

Generally, better planning will result in less loss, downtime, and lower impact on customers and products in the event of a business-disrupting event. Thus, even a little planning will have a much better result than none at all.

The most time-consuming aspect of BC planning is coordinating what will happen on D-Day (disaster day) with vendors, partners, affiliates, and management; then testing. Businesses that do not have a fully-realized plan, should double or triple the time they have allotted for vendor coordination and testing.

Is Your Company At Risk of a Cyber Security Attack?

How should you Create your Business Continuity plan?

It depends on your size and in-house expertise. If you have good -sized in-house Operations and IT teams, they should be able to draft it.  Smaller companies should turn to trusted IT providers with BC and DR experience. Their knowledge of your data and systems gives will save you a lot of discovery time in drafting the IT-related aspects of the plan. They should also advise you that the overall BC plans are ultimately the responsibility of management, even if the IT-related aspects of the plan is their responsibility.

Finally, HOW should you develop your BC plan? Over time. It must be regularly updated, particularly as personnel, company structure, and IT-related resources change. A BC plan is not a one-and-done. It must be managed over time.

Tips for a Creating Business Continuity Plan

By their very nature, crashes, disasters, and attacks are unpredictable. While you can’t know the exact nature of potential problems, you can make efforts that prepare you as much as possible. Here are some guidelines to keep in mind when creating a business continuity strategy for your business.

Identify your risks

Your risks depend on factors such as your location, industry, and what type of technology you use. Some regions are more at risk for certain types of natural disasters such as floods, hurricanes, or earthquakes. Certain industries, such as finance, are especially prone to cyber attacks. Keep in mind, though, that cybercriminals target all types of businesses and that nature can strike in unpredictable ways no matter where you are. You want to identify the specific data and technology that’s most valuable for your business.

Create a team

A business continuity or disaster preparedness team are people with the skill set to deal with any problems. Having a team in place means that if something does occur, you’ll know who will deal with each key area. It’s best to have at least one representative from each department on your team, as a major attack or crash effects everyone. Team members should meet regularly to discuss plans and keep one another updated on changes, such as new IT security threats. The leader of your team should be well versed in your business’s technology and adept at making decisions and delegating responsibilities.


Learn More:

Set priorities

After a crash, disaster, or attack, your business won’t be running at full capacity. It’s important to understand which areas are likely to be hit hardest and to set priorities. Decide which activities and services you can afford to temporarily discontinue. For essential services, look for alternative ways to continue them. For example, you might arrange to outsource certain services that you can’t deliver. Making such arrangements in advance is much easier setting them up at them at the last minute.
Maintain communication. It’s essential to have clear communications during and following any kind of shutdown or attack. This includes internal communications within your business, contacting customers and partners, and, when necessary, the proper authorities. Make sure you have backup information for all essential contacts. It’s particularly important to reassure customers that their data is safe and that you’ll resume services as soon as possible.

Conduct drills

One way to prepare your business for a disaster is to conduct practice exercises (learn more about our cyber secrity assessments). Schools and businesses regularly have fire drills. Police and military organizations conduct exercises to practice for wars or terrorist attacks. In a similar vein, you can prepare for cyber attacks, natural disasters, and other catastrophes by conducting practice drills. FEMA provides information on emergency planning exercises.

Train employees on proper procedure

Even employees who aren’t on your business continuity team should be trained on basic procedures to take in case of an emergency. For example, everyone should know whom to contact and where to go for information if the normal modes of communication are down.


Learn More:

Reassess and update your business continuity strategy regularly

Risks change constantly. Hackers develop new viruses, malware, and modes of attack all the time. Your company may acquire new platforms and software. Weather patterns change. It’s therefore essential to frequently reassess and update your business continuity plan.

Businesses today face all kinds of risks. You need a well-planned strategy to ensure that your business can survive and recover from any type of attack, malfunction, or calamity. While you naturally hope that you’ll never need to implement your business continuity plan, you’ll feel safer knowing that one is in place.

Want more great info to help your business thrive? Check out of cyber security consulting services!

 


Learn More: