Hope for the best, but plan for the worst.
The wisdom of this adage has become more apparent, and valuable, than ever before as businesses around the world continue to find their footing during the COVID-19 (novel coronavirus) pandemic. The coronavirus looms large in boardrooms and newsrooms across the globe, but the truth is that businesses that want to survive any kind of disaster—from pandemics to international conflicts to ecological devastation—need a firm understanding of business continuity planning.
A little hope is rarely a bad thing, but planning for the worst goes a long way toward keeping a business alive when it matters most. By following some basic best practices, your company can develop a business continuity plan (BCP) that’s comprehensive, flexible, and readily implemented.
What is Business Continuity Planning?
Like a lot of other business processes, business continuity planning involves identifying a specific need and developing ways to meet it. In the case of a business continuity plan, the needs involved are maintaining productivity and critical business functions, preventing (or minimising damage), and supporting recovery when disaster strikes.
As the coronavirus has so chillingly demonstrated, calamity plays no favourites when it comes to business disruptions. Small businesses and megacorporations alike rely on business continuity planning to formalise, document, and implement the emergency management protocols, processes, and policies that will help them avoid or mitigate disruption—or even destruction.
Though it may often be confused or conflated with a disaster recovery plan, a business continuity plan is actually more comprehensive. In fact, it often incorporates a disaster recovery plan as one of its primary components.
Every organisation has its own unique approach to business continuity planning, but in general it will have defined by three primary strategies:
Prevention: The policies, procedures, and any specific actions a company takes to prevent business disruptions when disaster strikes. For example, a company might invest in backup sources of gas, electricity, and water, either in the form of private reserves or alternative sourcing, generators, etc. To take another example, companies whose essential operations can be performed regardless of location might invest in remote work solutions and resources for emergencies. Or they might take a proactive approach and shift to remote team management as standard operating procedure.
Response: The policies, procedures, and protocols implemented to maintain essential business operations when a serious business disruption takes place, regardless of origin. Includes specific responses for various contingencies, including natural disasters, pandemics, international conflict or war, labour issues, etc. Also includes evacuation, safety, and communication protocols.
Recovery: The policies, procedures, and protocols used to help guide the organisation back to successful and normal operations. Includes contingency plans and workarounds for short- and long-term disaster recovery planning (for example, an alternative offsite production facility used for six months while the primary facility is repaired, upgraded, etc.). Also includes a specific recovery timeline made up of recovery time objectives (RTO) for physical and operational resolutions and recovery point objectives (RPO) for those related to data recovery and management.
RPOs will be especially important for any company that relies heavily on data for its essential operations or business process management—a description that applies to quite a few companies of all sizes in the age of Big Data. A plan to secure your data backups for reliable access and recovery once the dust settles is essential to business continuity in the twenty-first century, where everything from customer data to sales and accounting figures to irreplaceable intellectual property (IP) live in the datasphere.
“Guarding against lost profits, damage to reputation with customers, suppliers, and the public at large, and loss of staff and resources are all part of the “Prevention, Response, and Recovery” (PRR) approach to building a business continuity plan. Not every business will have the same approach, but you can start with a basic plan and customise it to fit your specific business needs.”
Why Business Continuity Planning Matters
Every business, no matter its size, vertical, or culture, is susceptible to disruption. Certain businesses are especially vulnerable to industry-specific disruptions; for example, restaurants struggling to survive due to loss of custom during coronavirus lockdowns have found themselves scrambling for revenue (and survival) in ways grocery stores have not. But having a specific and detailed plan in place to navigate nasty surprises like pandemics, war, cyberattacks, and both natural and man-made disasters can make or break a business.
This is particularly true in a crisis like the COVID-19 pandemic. Damaged supply chains, a scattered, homebound workforce, radically altered consumer habits, and essential contagion control measures such as social distancing and government-issued lockdowns have sent not just service-oriented restaurants, barber shops, and hair salons, but countless businesses into tailspins from which they may never recover without effective business continuity planning.
By developing or modifying a business continuity plan—even in the middle of a crisis—companies strengthen their ability to react effectively and survive to fight another day.
Crafting Your Own Business Continuity Plan
Guarding against lost profits, damage to reputation with customers, suppliers, and the public at large, and loss of staff and resources are all part of the “Prevention, Response, and Recovery” (PRR) approach to building a business continuity plan. Not every business will have the same business continuity management style, but you can start with a basic plan and customise it to fit your specific business needs.
1. Identify the Scope, Objective, and Goals of the Plan
The business continuity planning process starts with identifying the needs you’d like to meet (i.e., needs analysis) and setting goals to do so.
- How detailed should the plan be?
- What department(s) will the plan cover?
- How will each department’s plan interact with the plans of others, and the overall BCP for the business itself?
- What landmarks and milestones are being tracked to monitor the plan’s success?
- What is the budget for the plan, including:
- Training time
- Research and preparation
- Additional resources to implement the plan
2. Assemble Your Business Continuity Team
Like many other major projects, developing detailed business continuity plans for your business is easier to monitor and complete with a dedicated team assigned to its execution. They are, in effect, the “first responders” when disaster strikes. Document all assigned roles and responsibilities for each team member, along with their contact information.
For BCP, you’ll likely create two types of teams:
Command and Control Teams: These specialised teams are focused on crisis and recovery management. They oversee execution of the plan itself and manage all resources assigned to the BCP. Some of the sub-teams falling under this category include Crisis Management, Risk Management, Recovery Management, and Overall BCP Support and Implementation.
Task-Oriented Teams: These specialised teams cover specific areas of the PRR process within your organisation, including:
- Information Technology (IT) and cybersecurity
- Disaster recovery
- Supply chain management
- Internal and external communications, including alternate communications and public relations.
- Damage assessment and recovery
3. Perform a Business Impact Analysis (BIA)
When you identify and review the potential threats that could negatively impact each of the areas your BCP addresses, that’s a business impact analysis. A BIA is used to document critical business operations and the staff, applications, procedures, and other resources required to ensure essential operations continue when the company is experiencing a business disruption.
Ideally, your BIA will include multiple scenarios identifying recovery planning options for multiple levels of severity, from minor disruptions to cataclysmic disasters.
4. Document Critical Business Functions and Aspects
When cataloguing your critical business functions, prioritise them as low, medium, or high impact according to their importance to the company’s survival. Consider the following questions when ranking:
- What business objectives are dependent on this function?
- How many business units or departments are affected by it?
- What specialised resources, time constraints, and other limitations are connected to this function?
- What kind of damage would be created by downtime or disrupting this function—reputation, revenue, operations, etc.?
- Can this function be virtualised, automated, or moved offsite?
5. Develop and Document PRR Strategies
During this phase, your team can use the knowledge obtained during the BIA to create PRR strategies.
6. Design and Implement Testing, Training, and Revision Procedures
Once the plan is complete and the prevention, response, and recovery strategies have been documented, the team can create and document testing and training.
Testing puts the BCP to the test, via specific tactical exercises meant to simulate the disasters covered in the plan.
Training makes sure everyone in your organisation is familiar with the BCP and their roles and responsibilities within it. It also prepares them for testing.
The best testing and training exercises have clear parameters, easily understood instructions for everyone involved, and an opportunity for participants to provide post-exercise feedback.
Note: Testing takes on special importance during an actual crisis, as your company’s response to a real-world disaster will generate invaluable data you can use to further refine your BCP and improve your future efficiency and efficacy.
7. Establish Program Maintenance and Optimisation Protocols
No reliable business continuity plan is set in stone. It’s a living document that can, and should, grow and evolve to meet the changing needs of your business. Part of the BCP teams’ responsibilities includes establishing a periodic review and optimisation program to review and refine your BCP to ensure it’s at peak performance.
The BCP itself should include specific procedures for review and revision, as well as triggers for updates due to:
- Organisational changes
- External threats (war, natural disasters, pandemics such as COVID-19, etc.)
- Changes to corporate culture
- Significant alterations to the company’s digital environment or IT systems
In addition to performing a new needs analysis and BIA annually (or more frequently, depending on your company’s approach), you may want to consider an external review of your BCP with a consultant to provide fresh perspectives and perhaps identify pain points not readily visible to folks inside the system.
Plan Ahead to Guard Against Business Disruptions
In the new normal, the business of doing business is as uncertain and unnerving as life itself. Business continuity planning may not be able to remove this uncertainty, but it does give businesses a set of powerful tools they can use to prevent disruption from becoming destruction.
By developing and implementing a business continuity plan, your company is investing in its own continued survival when things get rough, and laying the groundwork for a confident and capable recovery.
Make Continuous Improvement Part of Your Business Continuity Planning with PurchaseControlFind Out How