Steps to developing an effective business continuity plan
MISCONCEPTION: "Our people will know what to do in an emergency."
REALITY: Even the best employees cannot be expected to know what to do when disaster strikes. Leaving each to respond in his or her own way only adds to the confusion of an event. Having a well-documented business continuity plan in advance, and training your employees to follow it, gets everyone on the same page — helping ensure an organized, safe and timely recovery.
MISCONCEPTION: "We have insurance to cover our losses."
REALITY: Insurance alone is NOT a business continuity strategy. Proper coverage is a significant and important part of the plan. But it may not fully cover some of the peripheral damages from an event, like loss of customers, loss of market share, or setbacks in development or release of a new product. Consult with your insurance agent to understand what is and is not covered under your policy.
MISCONCEPTION: "We don't have the time to develop a business continuity plan."
REALITY: Time spent developing and maintaining a business continuity plan is an investment in your company. Your fixed costs will continue after an event whether or not you are open for business. The faster you can return your operations to normal, the more likely you will recover from the event successfully. With so much at stake, your company can't afford to NOT have a plan.
MISCONCEPTION: "Business continuity and disaster recovery planning are the same."
REALITY: Business continuity is a proactive plan to avoid and mitigate risks associated with a disruption of operations. It details steps to be taken before, during and after an event to maintain the financial viability of an organization. Disaster recovery is a reactive plan for responding after an event. It deals with the safety and restoration of critical personnel, locations, and operational procedures after a disaster, and is a part of business continuity planning.
Identify threats or risks
- Understanding the risks that could leave employees, customers, vendors, property and operations vulnerable is fundamental. Threats can include, but are not limited to natural disasters, malicious attacks, power outages and system failures.
- Identify the risks most likely to occur based on historical, geographical, organizational and other factors. Then weigh the probability of each event against its potential impact to your business, as well as your readiness to respond.
- Conduct a business impact analysis
- Identify the people, places, providers, processes and programs critical to the survival of your business. What functions and resources, if interrupted or lost, could impact your ability to provide goods and services or meet regulatory requirements?
- Consider who and what is absolutely necessary to restore critical operations. Then prioritize the need to restore each item after the event. Plan to use limited resources wisely. Complementary functions can always be restored later.
- Adopt controls for prevention and mitigation
- Prevention and mitigation planning and activities are intended to help prevent an event (such as a fire or explosion from unsafe conditions) as well as to reduce the impact or severity of an event (such as relocating critical equipment to a higher elevation in flood-susceptible areas).
- Your prevention and mitigation plans should address, among other things, emergency response, public relations, resource management, and employee communications.
- Test, exercise and improve your plan routinely
- A business continuity plan is an evolving strategy that should adapt to your company’s ever-changing needs. Test and update it regularly – yearly at a minimum – or any time critical functions, facilities, suppliers or personnel change. Train employees to understand their role in executing the plan, too. Exercises can include discussions or hypothetical walk-throughs of scenarios to live drills or simulations. The key is to ensure the plan works as intended.
Four-Step Planning Process for Your Business Continuity Plan
Conduct a threat assessment. It can help identify the nature and likelihood of an event. According to Verizon’s annual Data Breach Investigations Report (DBIR), malware, phishing and misuse of credentials are major vulnerabilities.¹ Other events may involve unintentional actions such as an employee emailing a wrong file, sending it to the wrong person or misplacing a laptop or other electronic device that contains sensitive information.
Your plan should include ways to mitigate the impact of losses caused by these accidental or intentional acts or technological failures. It should also take into account weather-related or natural disasters, including tornados, hurricanes or earthquakes. Power outages and power grid failures also should be considered.
Business Critical Impact Analysis
Conduct a business impact analysis. It will help you identify and prioritize the business functions that are most critical to keeping your operations running. This analysis can help ensure your business can be restored quickly. Here are a few reasons:
- Your data inventory and classification process can help identify the critical data that must be maintained to continue acceptable levels of operation.
- Having a network inventory can help identify the critical hardware, software and firmware needed to continue to provide goods and/or services.
- Determining the maximum time frame before an interruption can cause significant impact to your business can help you prioritize the areas that need to be addressed first.
Prevention and Mitigation Strategies
Include a comprehensive backup strategy for critical data, hardware, software and firmware. Other non-critical functions can generally be restored and returned to normal operations over time without interrupting your business.
Be sure to specify in your plan who is responsible for creating backups, where the backups are stored, and who has access to the backups. All backups should be stored at a remote location that cannot be impacted by the same event. The area should be secure with restricted access. You also can use third parties to store your backups. When you set up a contract with a third party, specify the level of security required, and the time frame they have to deliver your backups. You should fully document these procedures, and keep them up to date.
Key backup considerations should include:
- Electronic data should be automatically backed up on at least a weekly basis. Consider backing up data more frequently for systems storing critical information.
- Back up proprietary or in-house built software and applications off-site so they can be readily reloaded into replacement equipment.
- A protected authoritative copy of your organization’s web content should be maintained in a safe location.
Testing, Practice and Continuous Improvement
Routinely test your plan so you can evaluate its effectiveness. Key employees and third parties should be familiar with the backup and restoration processes. They should periodically conduct sample tests of the system backups to verify that the operating system, applications and data from the backup can be restored.