A business continuity plan (BCP) enables your organization to pivot smoothly in the midst of a crises—be it fire, hurricane, pandemic, or loss of power. Without a comprehensive business continuity plan in place, your business could lose profits, employees and/or clients could get hurt, your brand’s reputation be damaged or even be forced to close. A thorough BCP helps to prevent the worst-case scenarios and keep the ball rolling.
Luckily, there are ample resources and service providers who can help you to create a BCP. As we have discussed in this blog series, the first phase of business continuity planning includes a thorough risk assessment. Once a risk assessment has been conducted, you will be better able to list your organization’s strategic objectives and then begin to make your plans. (Remember the MPWRSource methodology? Strategy > Plans > People > Process > Tools & Technology? Yes, faithful reader. Our superpowers apply here too.) After your risk assessment, you will have conducted your business impact analysis (BIA). Your BIA basically takes all the “What if” scenarios from your risk assessment and defines how your business and its people and operations will be affected so that it can best prioritize its strengths and weaknesses and quantify just how big of a deal each of those risks are and to what areas. Your BIA will identify your core business operations and critical points for business continuity. This will help you make the most logical and realistic recovery plans while keeping in mind your risks. Your BIA will help you proactively identify potential problems that may arise. If any functions or departments have time-sensitive operations, monitor the tolerable downtime. Use a rating system for key business functions to help you understand where to allocate resources.
With all of this information in hand, now you can strategize. And then make plans. If X happens, we will do A, B, and C.
Your plans should be the most detailed portion of your Business Continuity Plan. You will divide your strategies into three different categories: Prevention, Response, and Recovery.
Prevention Strategies:
What can you do to prevent threats? Your BIA will likely identify areas that need mitigation. This could include having back up power supplies, employees knowing who is next in line should an employee be out, or making sure you have remote workstations ready should your employees need to telework.
Response Strategies:
Each department should have a detailed emergency response plan that includes exactly what each member of the team should do in the case of an emergency.
For example, if there is a fire, procedures and safety protocols are essential for recovery. How will each employee leave the building? Where will people gather? When, how, and who will alert the media, public or customers should also be specified in your response strategies. This should also include a detailed disaster recovery plan to make sure all that your technology needs are covered and will probably require an IT strategy and management specialist.
It is important to remember to keep communications in mind. How you communicate what you do is key to maintaining your organization’s integrity.
Recovery Strategies:
After the disaster has occurred, your organization’s focus should be on recovery. This step of the business continuity plan outlines exactly what your recovery processes are and who is responsible for implementation.
Some resolutions and recovery steps will be instantaneous. Others may take days or weeks. For all of your recovery plans, make sure your stakeholders have clear-cut estimates on recovery plan activation.
Training and Testing:
Your BCP should include plans to train your team what to do in the event of an emergency. This could include basic training as well as individual trainings to specific threats, for example, training on what to do if an employee has been exposed to Covid-19 and other items pertaining to Covid-19. (This training is required for all businesses with over 5 employees in the Emergency Temporary Standard (ETS) in the Commonwealth of Virginia.)
As part of your BCP, you should also include tactical exercises designed to test procedures and protocols and to prepare employees. Examples of this include fire and active shooter drills.
Another element of this training should include developing a crisis communications plan and letting employees know who and who can not speak for the company. It is best to instruct employees NOT to publish updates on Facebook, Twitter, or LinkedIn. Remember that your designated communications representative will be the one to speak for your company.
Your training exercises should have:
- Clear goals and objectives
- Easily understood descriptions of the emergency scenarios
- Instructions for all participants
- A post-exercise evaluation
Business continuity planning should evolve your organization and as new threats appear. You should conduct reviews of your BCP annually. These reviews and any updates made should be documented and your team should be made aware of them.