Business Continuity Planning is a process that identifies potential threats to an organization or company and the impact on operations that those threats may have. Most people associate business continuity with major incidents and disasters that could prove detrimental to operations, but BCP needs to be more than just preparation for major acts of God or third party impacts. Any incident or occurrence, however minor, could have a negative impact on a business’s operations. The process of planning for continuity allows a business to highlight areas of vulnerability in everyday activities or things that may be taken for granted, rather than just planning for major disasters.
Consider the risks that every business is exposed to on a daily basis and it should be apparent that operational continuity could be affected by a number of factors, such as loss of access to a critical site or building, the loss of records, IT infrastructure or information, disruption to the supply chain, health related pandemics or general loss of critical staff.
The planning process should focus on three main areas: responding to emergencies, managing incidents and recovering business operations. The overall Business Continuity Plan should therefore comprise three plans in one to ensure each of these areas are covered.
When an incident occurs, a degree of emergency response will usually be required. For small incidents this may only be basic activities to limit the impact or scale of the incident but for large incidents, it could involve implementing a pre-planned large scale response and team to deal with the immediate effect. While a plan cannot identify and exhaustively prepare for every eventuality, the Emergency Response Plan element of a BCP should identify the principal roles within an emergency response team with clear lines and methods of communication documented to avoid any confusion in the heat of the moment. It should also lay out key processes associated with incident management, for example, a pre-determined process for recording actions and decisions made along with protocols for escalating decisions and possibly preserving the scene of an incident for later investigation.
The Emergency Response Plan should give outline guidance on how to approach the initial 12 to 24 hours after an incident has occurred. This should include initial communications with all agencies or services involved to understand the situation and communications with staff and employees to ensure their safety and their understanding of the situation being managed. Whether this is a major or minor incident, the communications in the emergency early stages will prove to be vital in recovering the situation.
Following the initial period of response to an emergency situation, whether one hour or 24 hours, there will be a period of management of the incident and its effects that needs to be undertaken. The second element of the Business Continuity Plan should address this time period and the actions needed. Many of the preparations will be similar in terms of communication lines and recording of information but with more focus on understanding the impact of the incident and making sure that the business, suppliers and customers are made aware of what level of service interruption can be expected, if any. Clear responsibilities within the company management structure need to be addressed and documented for this stage to ensure that the minimum of time is lost in getting the right people involved at the right time. The Incident Management Plan should provide focus for ensuring that no further damage to business operations occurs and that the impact on operations is properly investigated and articulated. This will provide the foundation for actions that will follow later to recover and restore full operational capability.
The last, and arguably largest, part of the three stage process is the Business Recovery Plan. This should be a plan that will provide the basic foundations to allow the company to restore services or operations based upon the information and impact assessed at the incident management phase. Again, like the other plans, this will give clear and concise information on who the main points of contact are within the company and also within the main supplier and customer bases. This plan should detail agreed procedures for restoration of key business aspects, for example, restoration of business critical data, installation of IT back-ups, restoration of telecommunications or vital records. Procedures that have been agreed with key suppliers or customers should be laid out in the Business Recovery Plan to allow them to be acted upon without delay. Where mitigation actions have previously been carried out to provide a level of protection for data or systems, the plan should explain what has been done and how to restore the information or service in the pre-planned manner.
Business Continuity Plans also need to be regularly tested. Since every business changes through time, the plan will have to change to reflect new procedures or changes in operational emphasis. Testing the plan using specific scenarios will not only test the procedures and communication lines established, it will also test the knowledge and preparedness of the individuals associated with the plan.
While a business can never plan for every eventuality, it is possible to be prepared to handle most incidents that could occur. Basic levels of preparedness around predetermined procedures and communications can have a significantly positive effect on how a business reacts to, and recovers from, an incident, whether large or small. While the planning process is important, it is worthless without proper communication of its existence and content across the organization. From the company board room to the shop floor, every employee needs to have been briefed on the BCP and needs to understand their role in the plan.
Print this article