Business Continuity Management - What is it?
Rarely organizations get advance notice that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.
This is where a business continuity plan comes into play. To give the organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.
Importance of business continuity planning
Restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. A company's future depends on the people and processes. Being able to handle any incident effectively can have a positive effect on the company's reputation and market value, and it can increase customer confidence.
If the organization doesn't have a BC plan in place, start by assessing the business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a BIA.
Next, develop a plan. This involves six general steps:
Identify the scope of the plan.
1. Identify key business areas.
2. Identify critical functions.
3. Identify dependencies between various business areas and functions.
4. Determine acceptable downtime for each critical function.
5. Create a plan to maintain operations.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.
Remember that the disaster recovery plan is part of the business continuity plan, so developing a DR plan should be part of the process.
Testing the business continuity plan
A real incident is a true test and the best way to understand if something works. However, a controlled testing strategy is much more comfortable and provides an opportunity to identify gaps and improve.
Common tests include table-top exercises, structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
a. A table-top exercise usually occurs in a conference room with the team poring over the plan, looking for gaps, and ensuring that all business units are represented therein.
b. In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
c. Disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies, and personnel (including business partners and vendors). The purpose of a simulation is to determine if you can carry out critical business functions during the event.
During each phase of business continuity plan testing, include some new employees on the test team. "Fresh eyes" might detect gaps or lapses of information that experienced team members could overlook.
Review and improve the business continuity plan
Once that job is complete, some organizations let the plan sit while other, more critical tasks get attention. When this happens, plans go stale and are of no use when needed.
Technology evolves, and people come and go, so the plan needs to be updated, too. Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units. If you've had the misfortune of facing a disaster and had to put the plan into action, be sure to incorporate lessons learned. Many organizations conduct a review in tandem with a table-top exercise or structured walk-through.
Ensure business continuity plan support, awareness
Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It'll have a greater impact on all employees, giving the plan more credibility and urgency.
Delivering Business Value
Build confidence in business resilience and preparedness across enterprise operations, supply chains, and third parties
Strengthen business resilience with a coordinated and agile strategy for recovery from business disruptions
Increase preparedness to mitigate business continuity risks, and reduce insurance premiums through streamlined risk assessments
Drive better decisions with the help of a 360-degree business impact analysis that helps prioritize key assets and processes for recovery
Improve the agility of incident response through seamless integration with emergency mass notification systems