Creating a business continuity plan (BCP) on your own can be daunting. You may feel overwhelmed wondering what critical business functions to include in your plan, what risks to create contingencies for, and how to even start your business continuity planning. But whether it’s a regulatory requirement, a new contract, or concern about business sustainability, creating a business continuity management system is not optional but something you need to do.
In this blog post, we’re going to examine what business continuity plans are, how to know what to include in them, and important step-by-step considerations to take during your business continuity planning process. Don’t navigate this journey alone. Contact our experienced team today for help guiding you through your business and disaster recovery planning process, You can be confident your time will be invested well. Book a consultation today!
What Is a Business Continuity Plan?
A business continuity management plan is necessary when a crisis hits your business. And we’re not just talking about a fire in your data center or a crater where the office used to be. A mishandled public relations event can be just as damaging to earnings as a direct hit from a tornado.
Simply put, a business continuity plan is a set of guidelines and processes your business will follow in the event of a business disruption—little, big, or catastrophic. Having this plan ahead of time means that no matter the emergency, your business can manage through it. You often don’t have the time to call for backup when an emergency strikes, so having this plan beforehand strengthens your organization and increases your odds of surviving active threats, accidents, failure events, or downtime.
How Do I Know What to Put in My BCP?
Creating a BCP uses an evidence-based approach and needs to align with standards appropriate to your industry and business objectives such as:
NFPA 1600:2019 – National Fire Protection Association Business Continuity
- ISO 22301 – International Business Continuity Management Standard
- FFIEC IT Examination Handbook—Federal Financial Institutions Examination Council
- OSHA – Occupational Safety and Health Act
- NIST 800 Series – National Institute of Standards and Technology
What Are the Steps to Creating a BCP?
When it comes to creating a business continuity plan, there are three essential steps you have to take. First, you gather raw data from all areas of your operations. Then, you must go through the business impact analysis (BIA) and risk assessment process. This step is where the raw data is analyzed and refined into actionable information. Once completed, your BIA report provides risk intelligence for executive leadership that is based on recovery objectives, dependencies, business processes, and the financial impact down time so that strategic corporate decisions can be made and implemented as business continuity plans.
Let’s examine each step more closely.
Step 1. Gather Data
First, raw data is gathered about information systems, business functions, and processes. You’ll identify these significant areas and assets by having key department heads respond to questionnaires, workshops or interviews to get the full spectrum of data you need to analyze for building a comprehensive business continuity plan.
Step 2. Perform Business Impact Analysis and Risk Assessment
Next, you have to qualify the risks with a numerical value that supports arranging risks in a hierarchical setting. For example, something might score a nine if the threat event is expected to occur. Or it might receive a score of one because there’s a remote possibility it could occur, but there are no recent records of it happening.
Some of the risk areas we examine include:
- External risks: natural disasters, manmade disruptions, and technological potential threats to personnel, operations, and clients
- Facility-wide risks: any threat that poses a risk to the people, places, and things on-site at your building
- Data and network risks: anything that risks the confidentiality, availability, and integrity of company data and network functions, like cyber-attacks, human error, or faulty data backups
- Departmental risks: threats to business functions or processes at the departmental level
- Work area risks: threats that impact job function or capability at the production/individual level responsibility level
Quantify Risks
Risks also need to be quantified, attributing a dollar amount to the effect and impanct of downtime. For some industries, such as banking or public utilities, it can be challenging to quantify dollars lost per hour as revenue streams flow from loans already booked before an event occurred and are not immediately disrupted. However soft impact losses can be quantified, such as damage to brand value or lost market share. For other industries, like manufacturing, it’s easier to quantify dollars lost per hour if, for example, a production line goes down for a length of time, as will result in losing a certain amount of inventory, material, shipments, revenue, and potentially, customers.
Establish Downtime Classifications
Not everything that happens requires a response from the CEO and the local fire department. Having pre-established levels or tiers of escalation for any possible scenario helps ensure the right people are involved at the right time. For example, some risks only represent a correctable hazard or vulnerability, such as an extension cord across a walkway being a trip hazard.
But in higher tier levels, you may need a coordinated emergency response effort to respond to a critical server going down that affects multiple departments and business functions. An example of a catastrophic level event would be a loss of critical capacities and/or capabilities that exceed maximum tolerable downtime measures – think large-scale natural disaster – where it may be beyond your ability to determine how to respond.
Perform a Risk Assessment
A risk assessment is a way to ask, “what can go wrong?” “ How likely is it to happen?” And if a risk event does occur, “what are the potential consequences for us?
For example, if a critical server goes down, is the data it contains backed up and easily recoverable? Do you have a backup server to replace it? If not, how long will it take to acquire one, re-image it, and get it into production? Data and business losses increase with time. The results of an effective risk assessment helps establish the relationships between the cost of recovery, the cost of downtime, and your organization’s risk tolerance levels.
Step 3. Create the Plan
Once the business impact analysis and risk assessment phase is completed, you can begin to talk about risk management strategies and the business continuity plan. Each business-critical risk that was identified in the BIA can be handled in one of four ways:
- Avoid the risk: Perhaps you have an older computer with a legacy application on it. It may be cost-prohibitive to maintain it through an upcoming network rebuild. Invest in new technology or a process to replace it.
Mitigate the risk: Certain risks can be mitigated by either taking steps that reduce the risk – think masks or working from home during the pandemic – or by taking steps to contain the risk, such as as isolation of an asymptomatic but contagious person. Both approaches help mitigate the risk of spreading a contagious disease by different yet mutually supportive means.
- Transfer the risk: Say you have an opportunity to bring on a big new client, but the contract has a component to it that would require you to make a large investment in cybersecurity assets and personnel to provide in-house support. By hiring a third party to manage your cybersecurity you can effectively transfer many risks to an organization with the skills and experience you need, while still maintaining your contracted responsibilities to the client.
- Accept the risk: Sometimes, a risk costs too much to make it go away or mitigate it, but it’s necessary to your operations. So, you accept the risk and prepare as best you can should something go awry.
The BIA and risk assessment define where operational gaps and potential weak points exist that could threaten the sustainability of your company. The business continuity plan provides answer to “If [RISK] happens, then we [PLAN].” It provides step-by-step processes to protect your workforce and how your business can function in lieu of having necessary applications, assets, or personnel. While many workaround or solutions may not be a preferred approach, when forced to operation under emergency conditions, having a plan in place can be the game changer you need to keep your business running, employees paid, and invoices sent out.
Get Help with Your BCP Today!
Business continuity planning doesn’t have to be difficult. When you work with ImageQuest, our team can guide you through the entire process, ensuring no risk is left unturned while saving you thousands of dollars, hours, and headaches when a disruptive event occurs. Be sure that what you’ve worked so hard to build is protected from natural, man-made and technological threats. Book a consultation with our team today to get started – you’ll be glad you did!