According to FEMA, 40% of businesses do not re-open following a disaster, and another 29% close within the subsequent two years. Many of these business failed to create a disaster plan that could have saved them from ruin.
While the task of creating a Business Continuity Plan can feel daunting, it can become more manageable when broken down into five recommended steps:
- Program Management
- Continuous Improvement
Start the plan development by identifying the departments and business units that are most impacted by a disaster. Business Continuity Planning is a team activity and should be represented by all the areas of the organization that will need recovery and continuity. Engage team stakeholders who will be able to identify the needs and roadblocks their teams will face during a disaster. These persons should be empowered to make policy decisions and to effect changes when needed.
Business continuity planners should be cognizant of Federal, State, Local, and regulatory requirements that will impact their planning. External factors including public and employee safety must also be accounted for when creating a plan.
Planning starts with understanding the hazards that will impact your organization and what business risks those hazards create. Hazards may be naturally occurring, such as:
- Extreme weather
Other hazards that may cause a business disruption include:
- Cyber security
- Equipment failure
Identified hazards and risks are assessed using the Business Impact Analysis (BIA). The Business Impact Analysis is a reporting exercise that helps categorize risk likelihoods to direct hazard planning and response. The BIA and planning exercises are performed by the Business Continuity Planning team.
With the team created and the risks identified, it is time to write the plan to tackle the various business interruptions. While some of the plan is focused on technology interruptions and solutions, much of this step is devoted to financial and human resource management. Key areas that must be addressed in the Implementation phase include:
- Employee Management
- Resource Services
- Employee Communication
- Public Communication
- Insurance Mitigation
- Payroll and Finance
- Alternate Work Sites and Facilities
- Remote Work Capabilities
- Remote Information Technology Resources
- Information Security
A plan on paper is only a plan and yields a false sense of security. Plan stakeholders and key personnel must be in-serviced on the continuity plan. Planning exercises should be held to test the Business Continuity Plan and identify areas that need further development or could cause recovery roadblocks.
The Business Continuity Plan should be reviewed after significant vendor and system changes. It must also be reviewed regularly to ensure it is still viable. Annual plan reviews, prior to a recurring hazard, are often preferred when establishing a plan review schedule.
Plan owners should also schedule periodic test exercises to verify team members are ready to execute during a disaster and that supplemental materials, such as employee contact lists and vendor contacts, are current.