How ready are you for unexpected events?

It is rare when there is advance notice that a disaster is about to happen – even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways. A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, pandemic or cyber-attack – as well as business resumption procedures. Creating one gives your organization the best chance of prevailing and surviving such an event.

What is a Business Continuity Plan?

Business continuity planning is the process involved in creating a system of prevention, response, & recovery from potential threats to an organization. The plan ensures personnel, facilities, & other assets are protected and able to function quickly in the event of a disaster or business disruption. The BCP is generally conceived in advance and involves input from key stakeholders & other personnel.

BCP involves defining all risks that can affect the organization's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters (fire, flood, earthquakes, weather-related events (i.e., hurricanes, tornadoes, snowstorms), public health emergencies, and cyber security attacks. Once the likely / probable risk events are identified, the BCP should also include:

• Determining how the risks can affect operations
• Implementing safeguards and procedures to that mitigate the risks
• Testing procedures to ensure they will work
• Reviewing the process to assure it is up to date

BCPs are an important part of all businesses – as we are experiencing with the COVID19 pandemic, disruptions mean a loss of revenues and higher costs – and as we also know, government subsidies / stimulus and insurance cannot be relied on to cover all costs and the likelihood of lasting problems due to customers moving their business to competitors. Whether operating a small business or a large one, you strive to remain operational and often we find restoring facilities and IT to be critical for most organizations. Facilities management and IT can implement solutions to restore services, but that often does not include the rest of the business functions. An organization’s future depends on its people, processes, technology, and culture. The ability of the organization to handle any incident effectively has a positive effect on its reputation, market value, and both employee and customer confidence.

Developing a Business Continuity Plan

There are several steps many organizations need to follow to develop a comprehensive BCP - a representative BCP development workflow follows:

Overarching BCPs typically include several common components: IT Disaster Recovery Plan (DRP), BCP for each Business Unit, and Crisis Management / Emergency Response Plan. Based upon the results of the initial Phase, working collaboratively & cooperatively across the enterprise and with suppliers & partners - develop and deliver a customized Business Continuity Plan for the organization considering the People-Process-Technology-Culture-Location-Hazards. The unique plan serves as a guide and include how to meet the needs of your employee / patient / community / customer populations and define essential business continuity operations that will provide support during an emergency event. The Emergency Plan will also aid the organization through collaborations with local / municipal / county / state / federal emergency preparedness officials.

DGCpartners' Approach

If the organization does not have a BCP in place, we help establishing the initiative- which begins and ends with governance. The real work starts with assessing the business processes, determining vulnerable areas & processes and estimate the potential business impacts (Business Impact Analysis - BIA) - if those processes go down for hours, days, weeks, or longer.

Our engagement process helps determine the scope of the plan; engage key business areas and critical functions, identify dependencies between various business areas & functions, determine recovery time and recovery point objectives for each critical function. Conduct Business Impact Analyses (BIA) including coordinating development/reviews of IT Disaster Recovery Plan (DRP), Business Unit BCPs, and Crisis Management / Emergency Management Plan, train & communicate, and finally test the plan. Special emphasis needs to be placed on conducting the Business Impact Analysis (BIA), understanding the recovery & restoration objectives, assuring cross-functional response teams, and training - all steps organizations need to follow when creating a Business Continuity Plan. A representative BCP Table of Contents (courtesy of Pitney Bowes) is shown below. (Note: even in this 2007 example, a Pandemic Continuity section existed in this template for a comprehensive BCP.)

Key components include:

• Business Impact Analysis: Here, the business will identify functions and related resources that are time sensitive.
• Recovery: The business units and IT must identify and implement steps to recover critical business functions.
• Organization: A continuity team must be created and charged with devising the plan to manage the disruption.
• Training: The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies, as described below.

As with other important aspects of operations, organizations will find it useful to leverage checklists, and other “in the event of” documents / placards, etc.

 There’s no such thing as 'cookie-cutter' plan – each BCP is custom to unique conditions!

BCP Business Impact Analysis

As noted above, an important part of a BCP is a business impact analysis. BIAs identify the effects of disruption of business functions and processes and is used to make decisions about recovery priorities and strategies. The following is a view of the BIA template from The US Federal Emergency Management Agency (FEMA):

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational - stemming from the loss of individual business functions and process
• The timing (immediate or delayed) / duration - Identifying when the loss of a function or process would result in the identified business impacts

(https://www.fema.gov/media-library-data/1388776348838-b548b013b1cfc61fa92fc4332b615e05/Business_ImpactAnalysis_Worksheet_2014.pdf)

Completing the analysis can help organizations identify and prioritize the processes that have the most impact on the business' financial and operational functions. When things should be 'restored' / 'recovered' is generally known as the “recovery time objective" and the "recovery point objective.”

Okay… it is time to see how good our BCP is.

Testing the BCP

Along with testing the continuity team, the organization should also put the BCP its paces. It should be tested several times to ensure it can be applied to many different risk scenarios. This will help identify any weaknesses in the plan which can then be identified and corrected. According to the Homeland Security Exercise Evaluation Program (HSEEP) there are seven types of exercises, each of which is either discussion-based or operations-based.

Discussion-based exercises familiarize participants with current plans, policies, agreements and procedures, or may be used to develop new plans, policies, agreements, and procedures, including:

(1) Seminar - an informal discussion, designed to orient participants to new or updated plans, policies, or procedures (e.g., a seminar to review a new Evacuation Standard Operating Procedure).

(2) Workshop – similar to a seminar, but is employed to build specific products, such as a draft plan or policy (e.g., a Training and Exercise Plan Workshop is used to develop a Multi-year Training and Exercise Plan).

(3) Tabletop Exercise (TTX) - involves key personnel discussing simulated scenarios in an informal setting (used to assess plans, policies, and procedures.)

(4) Games - a simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedure designed to depict an actual or assumed real-life situation.

Operations-based exercises validate plans, policies, agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment, including:

(5) Drill - a coordinated, supervised activity usually employed to test a single, specific operation or function within a single entity (e.g., a fire department conducts a decontamination drill). 

(6) Functional Exercise (FE) - examines and/or validates the coordination, command, and control between various multi-agency coordination centers (e.g., emergency operation center, joint field office, etc.). A functional exercise does not involve any “boots on the ground” (i.e., first responders or emergency officials responding to an incident in real time).

(7.) Full-Scale Exercises (FSE) - a multi-entity and multi-discipline exercise involving functional (e.g., joint business & IT, incident command and emergency operation centers, etc.) and a “boots on the ground” response (e.g., first responders and emergency officials [i.e., firefighters, law enforcement, EMTs], and - if circumstances warrant - decontaminating mock victims) to train on the complete response to a catastrophic event.

CONCLUSIONS

Business Continuity Planning involves a coordinated, collaborative, cooperative process of preparing to match urgent needs with available resources in the face of a disruptive event.  The process steps/phases include research/assessment, strategizing, writing, dissemination, testing, and updating (periodically adapted to changing conditions & circumstances). It serves as the organization’s guide to the protocols, procedures, roles and responsibilities in the wake of the disruption. Comprehensive Business Continuity Planning is an exploratory process into organizational resilience that provides generic procedures for managing unforeseen (but not inconceivable disruptions to the business) and should use carefully constructed scenarios to anticipate the needs that will be experienced by the envisioned hazards.  

Plans are needed, not only for responding to unplanned disruptions and the impacts of a crisis, but also to maintain business continuity while managing the response to the crisis, and to guide recovery and reconstruction effectively. The BCP is a document, shared between participants & stakeholders specifying tasks and responsibilities adopted in the response to the emergency – serving as a blueprint for managing such events.  It is the framework for the organization’s emergency management response.

First and foremost, Business Continuity Planning is a process not an outcome, especially since the plan itself will need to be updated over time as circumstances change within and around the organization. 

Every BCP is unique and tailored / customized to reflect the unique circumstances of the organization’s location(s) and specific conditions, technologies, and supporting services & agencies. Failure to plan can be construed as negligence and an inadequate plan equates to an inadequate response that can have a deleterious effect on the organization and its business.

Business Continuity Planning must be supported from the top down – meaning C-Level executives and senior management must be represented when creating and updating the plan. It cannot be delegated to subordinates without diluting the message.  Overall, management is key to promoting user awareness and assuring appropriate urgency and seriousness is reflected in the plan.  Plan distribution and training can be conducted by business unit managers or HR and, for the BCP to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Give your organization the best shot at success, put a current & tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan does not just mean the organization will take longer to recover from an event, but it could result in going out of business for good.

Thanks for reading this article, I hope you found it both insightful and helpful. 

BTW, the individual in the covering photo is my six-year granddaughter who enjoys sitting on / riding the miniature donkeys she is sitting on. Unfortunately, advancing from sitting to riding (and wearing a helmet), she fell off and broke her arm (her humerus bone – requiring pins).

Talk about the unexpected! The good news is that she’s on the mend and anxious to get back to learning how to ride!

Don Gleason is the CAO of DGCpartners - a small veteran-owned management & technology consulting firm helping clients gain control of costs and schedule for their most strategic initiatives – building, driving, and mentoring teams in best practices to assure sustainable change management discipline and business transformation success. We've been there and done it – “we don’t bring the bus; we bring the best!” - in industries from manufacturing and healthcare, to finance and government services, we bring a hands-on approach rooted in industry & process knowledge and executive-level IT experience. Our processes scale and leverage industry leading best practices around process execution, budgeting, operational efficiencies, business process and IT outsourcing, and improving Business-IT decision-making.

Reach out to Don here on LinkedIn or through DGCpartners.

REMEMBER: Like, Comment, and/or Share as you see fit and, as always: Make It A Great Day!