Each year, businesses and organizations are affected by man-made and natural events and disasters. Market competition and the fast pace of business demands that companies be prepared to respond to these events to help prevent or reduce business interruption and loss. These events run the gamut from fires, explosions, weather-related and other natural disasters to man-made events, including terrorism, data theft, cyber attacks on computer systems and networks, extended power outages and critical equipment breakdown. Major events can cause extensive disruption and damage to business and business operations. In a highly competitive, global economy, the inability of organizations to respond quickly and continuously to an adverse event could mean that consumers, clients and customers go elsewhere. Loss of customers, market share, and extended down times can result in your businesses never reopening. The importance of business continuity planning, that is, a continuous process and plan to identify the impacts of events and potential losses and ensure viable recovery strategies and continuity of services, cannot be overstated.
An organization’s business continuity plan should be an integral part of its operating strategy and part of its overall business planning process. It is not a “one-shot” project or one-time activity. Rather, it is an integral part of an effective business strategy. It requires a pre-defined, thoughtful approach and planning ahead. A well-executed and practiced business continuity plan is not only intended to help organizations recover and return to operations as quickly as possible. It also can be an important defense in reducing the overall impact on its business.
This guide is a high-level introduction to core business continuity planning concepts. Companies should tailor their own plan to their particular situation and needs.
Prerequisites: before building the actual plan
Before engaging in the process of business continuity planning, a sound foundation is a prerequisite to help support the success of your program. Top management should be actively involved in the development of the business continuity plan to help drive the necessary accountability and support for its successful execution.
Establish a management-supported planning committee. The committee should include core members and resource specialists. The size of the committee depends on your company operations, requirements and resources. The committee can help encourage employee investment and participation in the process; incorporate different viewpoints and experiences; provide a broad perspective on the issues; enhance visibility of the planning process and increase commitment and ownership of the final plan.
Prerequisites include, among other things:
- Leadership commitment
- Mission statement
- Program scope, goals and objectives
- Program administration
- Timeline, budget, required resources, including a program coordinator
- Finance and administration support
- Compliance with laws, codes, authorities
- Performance objectives
- Records management
- Insurance
While insurance alone cannot guarantee recovery, consider combining your business continuity plan with proper insurance coverage. Discuss your insurance options with a professional insurance representative to help determine your coverage needs, such as business interruption/contingent business interruption, extra expense and payroll.
Planning activities
Once you have management support and a planning committee, developing your business continuity plan involves four major steps. The steps include:
(A) – Assessing the threat or risk that could result in a significant interruption of your business operations;
(B) – Conducting a Business Impact Analysis to aid you in identifying and prioritizing the most critical business functions necessary to keep your operations up and running;
(C) – Establishing Controls for prevention and/or mitigation of the potential impact of an adverse event; and
(GO) – Go test, exercise and improve your plan routinely.
(A) Assessing the threat or risk
The first step in business continuity planning is to identify the nature and likelihood of an event. Some disasters, such as weather-related or natural (earthquake) hazards may be easier to identify as a consequence of where your business is located and the patterns or trends in your location. Your local emergency management office can help you better understand these risks. Other risks, such as an extensive power grid outage, vandalism, terrorism, attack on your data networks, theft of your data or even an event that disrupts shipments from a major vendor or supplier, may not come readily to mind. However, these types of man-made events should be presumed. It is a reasonable assumption that these types of events are possible and could impact your business operations.
As you work through your threat or risk assessment, consider the impact on:
- your employees
- your property, including equipment and inventory
- your operations, including data, vendors, suppliers, customers and reputation
- the health of the local environment (pollution/contamination, for instance from a chemical spill)
Assess the readiness of your internal and external resources to respond to the potential events.
As you evaluate the impacts of the events, document if there are adequate strategies in place to prevent or reduce the impacts of the events. For those answers labeled “no,” additional planning and controls will be needed.
Your risk assessment can help you prioritize prevention and mitigation strategies, as well as assist in planning the development of response during an event, including emergency operations, recovery and continuity activities.
(B) Business impact analysis
The goal of the business impact analysis is developing a list of the functions or processes that are needed for the survival of your business.
- Identify those “critical business functions,” activities or assets (such as data) of your company that, if interrupted, could disrupt your ability to continue to provide goods and/or services
- Identify the maximum time frame before the interruption can cause significant impact to your business
- Identify requirements that must be maintained to ensure acceptable levels of operation
The goal of the business impact analysis is to focus on your most critical needs to help ensure that critical functions of your business are restored quickly. Complementary functions can generally be restored later and returned to normal operations over time without interrupting your business. Conservation and wise use of limited resources during an event can be critical to the recovery of your business.
(C) Controls for prevention and mitigation
Prevention and mitigation planning and activities are intended to help prevent an event (such as a fire or explosion from unsafe conditions), as well as reduce the impact or severity of an event (such as relocating critical equipment to a higher elevation in flood susceptible areas). Your prevention and mitigation plans should include:
- physical controls, such as sprinkler protection, network firewalls, flood barriers; and
- loss prevention programs, policies and procedures, including emergency response, employee communications and public relations.
Some specific activities at this step would include, among others:
- developing a prevention/mitigation planning objective for the resumption of each function within a specific time frame identified in the steps above (e.g., restore data within four hours)
- determining minimum resources needed to support your efforts
- delegating recovery and continuity assignments to staff who are most familiar with the functions that will need resumption
Remember, there is a human cost in a crisis or disaster. How will you help employees restore their emotional and physical health following a crisis or disaster? Identify resources, such as employee assistance programs or community-based resources, to help your work force cope with the event.
(GO) – Test, exercise and improve your plan routinely
It is critical to test and exercise your plan routinely and evaluate its effectiveness, making necessary changes to improve the program. The need for regular program review, training, education and practice exercises cannot be emphasized enough. Exercises and testing is how you validate if your plan will work.
A business continuity plan is not a “one-shot” project. It is an integral part of an effective business strategy. A completed plan should be reviewed, tested and updated regularly if it is to be effective when put into action.
Closing comment
Your best defense in protecting the continuity of your operations is a well-prepared and practiced business continuity plan. Your business has a better rate for survival and, in a widespread event, even a competitive advantage, if you have an effective business continuity plan and can stay open for business. The application of a business continuity process can help you better prepare, respond and recover to natural and man-made disasters.
The information provided in this document is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice. We do not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. In no event will we or any of our subsidiaries or affiliates be liable in tor or in contract to anyone who has access to or uses this information. We do not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state or local laws, regulations, standards or codes may change from time to time and the reader should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by us, nor is it a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.