Published on December 20, 2018
The business continuity planning process can seem like a complex task. However, the benefits far outweigh the cons.
The initial task of BC planning can seem like a lot of hard work, but a clearly defined Business Continuity Management System (BCMS) will be more than worth its weight if your company is faced with an incident.
Every year around 20% of businesses experience business disruption, and this number is continually growing. More alarmingly, it is reported that 75% of companies are forced to cease business operations permanently within three years of experiencing an incident.
Both existing and emerging risks are on the rise – with increases in adverse weather conditions and cyber-attacks, the globalisation of supply chains, and increasing dependency on technology all contributing to the increase.
Business continuity planning is essential to the recovery from any incident, and a clearly defined structure and framework are key to creating a comprehensive Business Continuity Plan and documenting procedures to restore your business operations in the event of a disruption. However, companies often do not carry out this activity, which can be extremely detrimental or even fatal to the business. Investing time and effort in the business continuity planning process comes with many benefits.
Implementing a BCP and ideally, a full Business Continuity Management System (BCMS), is highly beneficial to the organization's team. A BCMS provides knowledge and understanding amongst the staff from a business continuity perspective. It ensures that individuals are aware of their roles and responsibilities if an incident was to occur, which, in turn, ensures that critical activities and operations can be restored to normal functionality in as quick a turnaround as possible.
Moreover, a well-established business continuity plan helps to increase confidence amongst the personnel and other key stakeholders of a business, both that their organisation has placed their safety and security at the highest of importance and that there are adequate solutions in place to alleviate disruption and job losses following a business disturbance.
A brand must consider its reputation. Damage to reputation can be a majorly disastrous aspect for an organisation in the case of a disruptive incident – public perception can be what makes or breaks a company.
Consider the BP Oil Crisis of 2010 or the disaster at Samsung following the notoriety of its Galaxy Note 7. We can see from these examples that not only the incident itself but also the way in which the business handles and responds in the aftermath of the event contribute to the public’s perception.
In the case of BP, the problem was magnified by the negatively received reaction to their attempts to downplay the incident and the insensitive response from the then-CEO. It has since been reported that the brand has taken 8 years and over $60bn to rebuild back to its previous state.
Well-planned, quality BCPs and communications strategies would have helped the company to recover more efficiently and perhaps with less reputational damage.
In Samsung’s case, their attempts at the total recall of the affected product range were said to be poor, and the approach was widely criticised, only exacerbating the situation and making recovery attempts more difficult. For a company with a global product offering, the need for a recall strategy would be identified through implementing a BCMS, and the incident and aftermath, in this case, can only lead us to believe that the brand’s plans were not sufficient.
Another important reason BC planning is important to an organisation is its competitive advantage.
With globalisation, online commerce, and the “always-on” culture, as well as increasing innovation and emerging technologies, consumers' expectations are much higher, and their choice is much greater than ever before. Companies who set up and manage a thorough BCMS can establish consumer confidence and increase satisfaction with peace of mind that your business has the plan to minimise disruption and facilitate recovery in the quickest and smoothest way possible.
Becoming certified with recognised accreditations such as the ISO 22301 standard for Business Continuity helps to increase customer confidence and thus the competitive advantage to the business.
Finally, we must consider the communicational advantages that come from a BCMS.
Creating contact lists for notification purposes during the BCP process allows a business to reflect on and strengthen its existing communication channels and methods. This is of advantage to a business in terms of its day-to-day operations, in addition to the preparation for any potential disaster.
Now that the benefits of business continuity planning are established, the next objective for businesses of all sizes is to develop a business continuity plan. Most mid-sized business owners estimate it takes about three months to recover from a disruption to critical business functions. However, that assumes you have a plan for business continuity. What happens to businesses that don’t? According to Gartner research, businesses stand to lose up to $5,600 per minute of business disruption.
No matter if you’re big or small, businesses can’t afford to lose that much money! Developing the steps to a business continuity plan is integral to disaster recovery and restoring business functions in the face of risk and other threats to your business continuity.
Business continuity planning involves a lot of human resources and IT infrastructure. It also costs money to conduct a business impact analysis. However, you will be more at ease knowing that you can restore your business processes in the face of any business disruption.
The first step in creating a business continuity plan is to establish its scope. Determine what areas of your business need to be covered by the plan.
It is crucial to have a clear understanding of your organisation's operations to determine the plan's scope effectively. The idea is that the business can stay operational despite threats or risks by ensuring the continuity of critical business functions.
The second step is to establish a clear process for identifying and escalating incidents. The process should include the exact roles and responsibilities of your team members, outlining who will be responsible for activating the business continuity plan, and what procedures should be followed in case of an incident.
An effective business continuity management team should be able to communicate the plan to the entire organization and identify the recovery time and point objectives. They are responsible for performing business impact analysis periodically, such as running risk assessment and risk analysis. The point of these activities would be to identify the critical functions of businesses so they can be highlighted in the continuity planning.
Aside from defining the roles of the business continuity planning team, ensure you have a detailed workflow. The processes should be regularly updated to avoid inefficiencies and to manage them in time.
The team will prepare the standards for implementing strategies to resume business operations. If new team members are added, they should be well-informed and briefed about the project flow.
Identify key business areas and business functions that are most critical to operations and require the most attention during an incident to ensure business continuity. You must also pinpoint any risks that could occur.
There are internal and external potential threats unique to every business, depending on the nature of your business. Identifying these threats is vital in continuity planning because you must identify the potential scenarios you could face and create a risk mitigation plan accordingly.
Determining the acceptable downtime for each critical function is an essential step in developing a business continuity plan. You must understand the impact of downtime on your business operations to come up with the most appropriate solution and avoid revenue loss.
This step involves identifying the maximum amount of downtime that can be tolerated for each critical business function before disruptions damage your activities and reputation to the point where you couldn't recover from it.
You must prioritise critical dependencies, data and resources based on their importance in maintaining business operations.
For example, some locations are at a higher risk for certain natural disasters, such as hurricanes or flooding. There are also risks that could affect all businesses, no matter the size or nature of business functions. One example of that is a power outage.
This approach to business continuity planning ensures that your critical business functions that rely on power will not be greatly affected or that you have a backup power source in case of a power outage.
Another common threat that many businesses face today would be cyber attacks. Identity or data theft is possible when unauthorized cyber criminals gain access to your computer network. Therefore, you should conduct a risk assessment on your IT infrastructure to ensure that you can recover critical business functions after a cyber threat or prevent an IT attack in the first place.
Identifying key contacts is an essential step in creating a business continuity plan. You have to determine who needs to be notified during an incident and the channels through which they can be contacted. Make sure you keep a contact list of the business continuity team members that you will review regularly - someone might have a new phone number.
The list of key contacts should include all stakeholders relevant to the plan's scope, including employees, vendors, customers, and regulatory bodies.
You can develop recovery strategies for your most important business operations based on the risk assessment. Not only must you come up with an efficient recovery system, but it is also a must to formulate an effective communication plan.
An effective business continuity plan always puts people first. Therefore, your recovery strategies should focus on the employees, vendors, and customers. Once you identify the impact of business disruption on specific functions, you can determine its recovery capability and the resources needed to maintain business operations.
Testing is an integral part of your business continuity plan. It tells you how effective the business continuity plan is or how you can improve your recovery strategies. A successful business continuity plan must enable you to maintain the most important company functions, which reassure your partners, stakeholders, and customers. Communication is also key to making sure everyone understands what to do in case of a disruption.
You can implement various testing methods for business continuity. Ideally, you should employ as many testing methods as possible for smooth operational continuity management.
Here are some testing methods for the essential functions critical to your continuity planning.
1. Walk-Through – This type of continuity planning testing involves the business continuity team members preparing a plan for specific scenarios or natural disasters. For example, they will conduct a drill response for earthquakes, natural disasters, and power outages. This testing method aims to assess the efficiency of the emergency response and disaster recovery plan. Any identified vulnerabilities should be addressed according to the assessment of the personnel responsible for ensuring that results could be improved.
2. TableTop Test – A tabletop test involves the organization's executives. The goal is to develop the most efficient planning process for restoring the individual business functions, and the entire organization affected by potential threats. It will require a thorough analysis of the business units to highlight the most vulnerable units and develop ways to increase resiliency. This approach to continuity planning testing is to produce minimal downtime and employ minimum resources.
3. Disaster Simulation Testing – This testing method aims to recreate the environment where a specific scenario or risk could occur. For example, a business that experienced cyber attacks must consider where the attack came from and how it can improve the information technology infrastructure in the office space. It’s also important to look at the various policies employed in the workplace to avoid threats to critical business data and provide data backup and recovery strategies.
Once you implement your business continuity strategy and disaster recovery plan, the work is not done. It is an ongoing process of continuous testing and monitoring. Over time, new threats emerge, or existing threats take on a new form.
You should always conduct business continuity planning and keep it up to date. This step ensures that you can maintain business operations even as external conditions change.
Business impact analysis is a critical aspect of business continuity planning. While these two serve unique functions to the business, they are both important.
BIA precedes continuity planning. The identified business impacts will allow the business continuity team to identify potential threats, the extent of those threats, and the recovery priorities throughout the planning process.
Here is a step-by-step guide on how to conduct your business impact analysis:
For large-scale companies, it’s not always recommended that you involve all business units in your business continuity impact analysis. Identifying the essential business functions vital to ensuring business continuity is best. This approach will enable organizations to utilize minimum resources in continuity planning because you can focus those resources on the critical functions that help maintain operations.
For example, you have to identify at least seven functions that enable you to stay open despite potential risks and threats. It requires in-depth knowledge from your continuity planning team about the impact and role of every business unit. It’s a must to interview individuals directly involved with every unit because they have in-depth knowledge of the critical processes and vulnerabilities.
Another important step in conducting business continuity impact analysis is to help everyone in the organization understand the process value. It is especially important for senior leaders and process managers to understand the importance of business impact and risk analysis.
You need their support, but they might not understand what they’re supposed to do or how they should aid in the planning process. Therefore, it is the BIA personnel’s responsibility to educate them and get them on board.
Prepare a list of questions you must ask the personnel responsible for every business unit. Make sure you come prepared to have a list of the questions you must ask to get the information you need.
Focus those questions on the potential impact of any form of business disruption on the entire organization and the ways that you can manage those disruptions. When you’re all set, it’s time to conduct the BIA.
Once the interviews are completed, you can gather the answers and formulate your data analysis. Use your findings to develop a detailed risk analysis of the critical business processes and units. Then, you must recommend an action plan to ensure you put the highest recovery priorities on the most important business processes.
To ensure the success of your operational continuity management, it is important to keep these tips in mind.
There is no one-size-fits-all approach to business continuity planning. But one thing is for sure: all businesses (regardless of the size or number of employees) need one. It’s the only way you can recover from a crisis or minimize the impact of threats to your business.
Business continuity planning is an essential part of operations for any business that wants to ensure that they have a strategy to effectively recover key activities and processes with minimal negative impact in the case of a business disruption, and the software from C2 can help any business to complete this activity and create a complete, fully comprehensive BCMS.
BCMS2 is a web-based tool designed to assist and alleviate the day-to-day management of a business continuity management system. It allows you to create, store, manage and distribute business continuity plans, plus simplifies the scheduling and carrying out of exercises, with results being reported automatically via the system.
Staff will be empowered with the knowledge of their roles and responsibilities in case of an incident utilising the tool which records and manages the activities assigned to each individual and the steps to be taken at each stage.
BCMS2 allows businesses to align and self-certify to ISO 22301, providing a competitive advantage, and the integrated notifications tool provides two-way SMS, mass email, Voice Messaging, Call Conferencing, and Bulletin Board functionality builds confidence amongst business leaders and their staff that regular two-way communication can be facilitated during an incident. Book a demo today to see it in action.