Important: The Scope of a Business Continuity Plan
This post was originally published at https://invenioit.com/continuity/scope-of-a-business-continuity-plan/
You’ve worked hard to build up your business, and it’s growing. The future looks bright. Then you get the news every small business owner or manager dreads – there’s been a fire, or a flood, or perhaps a tornado, or even an earthquake. Whatever the reason, your place of business has been rendered unusable, and for the moment at least, your entire operation has come to a halt.
So, what do you do now? What steps will you take in the next few minutes and hours to get your company back to work as soon as possible?
If you can’t answer that question immediately and in precise detail, your business is at great risk. Disasters, both natural and man-made, can strike at any time, and often do so with very little warning. The consequences of not being prepared can be devastating. According the Federal Emergency Management Agency, almost 40 percent of small businesses affected by a disaster never reopen their doors.
How can you ensure that your company won’t be part of that statistic? The answer is to have a well thought out business continuity plan.
What is a Business Continuity Plan (BCP)?
A BCP lays out the steps and procedures a company will follow before, during and in the wake of a disaster, so that it can maintain maximum functionality during the emergency and get its operations back to normal in the shortest possible time. With a good BCP in place, your company’s employees will know exactly what to do when disaster strikes.
In this post, we outline the scope of a typical business continuity plan and how to create one, including:
· Sections to include
· Identifying the plan's objective
· How to test the BC plan
· Outsourcing your business continuity planning
· Choosing BC/DR vendors for backup and recovery
The Scope of a Business Continuity Plan
What should be in your BCP so that you can be sure that your business is adequately prepared for a disruption? The following are seven areas any good business continuity plan should address. If you're creating a BCP for the first time, these are high-level tips to help you create the core framework of your plan. Below, we go into more detail on what to include within each section.
1. Identify Critical Business Functions
One of the most vital steps in formulating a good BCP is to conduct a business impact analysis (BIA) to identify the crucial areas of your business that must be maintained or quickly restored when a disaster strikes. It’s these core business functions that your BCP will be designed to protect.
2. Identify critical systems and the dependencies between them
Your BCP should identify the systems and data that are most critical for the continued operation of the company. What equipment, supplies and records (both digital and paper) must be available and operational in order for your company to continue to function?
3. Identify Your Risks
What are the most likely disruptive events that might impact your company’s operations? Tornadoes, hurricanes, wild fires, earthquakes? What about other incidents, such as server outages, ransomware attacks and accidental data loss? Obviously, it’s not possible to predict which disaster will strike your operations or when, but you can and should specifically plan for every possible scenario.
4. Specify Your Data Backup and Recovery Plan
Your BCP should specify data backup and recovery procedures. How frequently will backups be conducted, and by whom? Where will the data be stored, and how will it be geographically replicated so that no local disaster can result in a permanent loss? How will it be recovered? These questions should be addressed both for electronic and critical paper records.
5. Identify the Composition, Functions and Procedures of Your BC Team
Who can declare an emergency that brings the BCP into operation? Who are key employees who should be notified (and how), and who will be in charge? Where will BC team members and other employees meet if the company premises are not usable? These questions and more should be addressed in detail in the BCP.
6. Have a Detailed Communications Plan
How will the BC team be notified of an emergency if, for example, your email systems and telephones are disrupted? Who is authorized to speak on the company’s behalf to media, customers, suppliers and external partners, such as government agencies? The plan should include a list of people and agencies that will be contacted when an emergency is declared.
7. Specify BCP Testing, Refreshing and Training Procedures
A BCP that looks good on paper may be totally unworkable in practice. It must be realistically tested before it is put into operation, and key employees trained in its use. It must then be updated on a regular basis. With changing conditions, technology, organizational structures and personnel, the plan can quickly become outdated and unusable. Procedures for training, and for both testing and refreshing the plan should be included in the BCP itself.
The Importance of Proper Planning
Creating a thorough business continuity plan is the most important thing you can do to prepare your business for an operational disruption.
As the Department of Homeland Security notes, “A business continuity plan to continue business is essential.” Proper planning ensures that operations can be quickly restored, regardless of what has caused the incident.
Preparing for all possible disasters is vital to this planning, as FEMA writes:
"The planning process should take an 'all hazards' approach. There are many different threats or hazards. The probability that a specific hazard will impact your business is hard to determine. That’s why it’s important to consider many different threats and hazards and the likelihood they will occur. In developing an all-hazards preparedness plan, potential hazards should be identified, vulnerabilities assessed and potential impacts analyzed. Strategies for prevention/deterrence and risk mitigation should be developed as part of the planning process. Threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed."
Getting the scope of your business continuity plan right is crucial to the survivability of your business if disaster should strike.
What is Your Business Continuity Plan Objective?
In other words, what is the purpose of your business continuity plan? While the fundamental goal of every BCP is similar—to ensure continuity through a disruption—plans can vary in their approach. This is why it's important to identify your business continuity plan objective at the start of your planning. Typically, this is one of the first sections in a BCP.
For example:
· A BC plan objective can be focused on the business as a whole, or specific business units and processes.
· Some organizations create separate BCPs for IT operations, focused on continuity of networking, data storage, backup, Internet connectivity and so on.
· A business with little risk for technology-related hazards, such as smaller retail establishments, may set a business continuity plan objective that is more focused on emergency response protocols, employee safety and workforce continuity.
Setting a plan objective is crucial for ensuring that everyone is on the same page about what the plan aims to achieve. If, for example, the plan is focused solely on IT continuity, then this will make it clear that additional planning is needed for other areas of the business.
What about RTO and RPO?
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are additional objectives that should be identified within certain sections of your business recovery plan. However, unless your plan is strictly focused on a specific system (rather than the business as a whole) then these objectives should not be used as the plan's key objective. Instead, RPO and RTO should be identified within your recovery planning sections.
Here's the difference between RTO and RPO:
· RPO is the desired backup recovery point for restoring data (or essentially the age of the most recent backup). The more recent, the better.
· RTO is the desired speed of restoration following an outage. The faster, the better. i.e. a 2-hour RTO following hard drive failure.
Business Continuity Plan Assessment
Your business continuity plan assessment—often referred to as a risk assessment—is another critical section of your planning document.
Above, we mentioned the importance of identifying the most likely risks to your organization. This is the section where you will outline those risks, defining what they look like and their likelihood of occurring. By assessing your risks in this fashion, you'll be able to prioritize your planning around the most urgent risks.
Some organizations may also choose to incorporate aspects of their business impact analysis in this section, in the form of a table or chart. This provides a clearer overview of the threats and their severity, at a glance.
Business Continuity Plan Checklist: Have You Included These Sections?
We've touched on the fundamental scope of a business continuity plan, and some key components to include. But there are several other sections you'll want to include to ensure that the plan is effectively communicated and able to be properly executed. Use the business continuity plan checklist below as a basic outline for how to structure your document and what these sections should entail.
o Contact information: Include the names and contact information of those who have created the BCP. You may also choose to include the contact information of disaster recovery team members here, as well as stakeholders who should be notified first when critical business disruptions occur.
o Plan objectives: Outline the key goals of the plan and its areas of focus, as directed above, to define its scope (and limitations).
o Risk assessment: Identify probable risks and disaster scenarios, as outlined above, which have the potential to cause a break in continuity.
o Impact analysis: Define the impact of those scenarios, including the potential length of the disruption, business systems or areas that will be affected and the estimated costs.
o Prevention: Define the systems and protocols that will help to prevent those scenarios from occurring or that can mitigate the issue. A basic example would be antimalware solutions to prevent a malware infection.
o Response: Provide step-by-step instructions for how to respond to the disaster scenarios identified in the risk assessment. Typically, these are the protocols that should be followed immediately after a disruption to ensure a swifter mitigation and recovery.
o Recovery: Detail the additional protocols for fully recovering affected systems or business functions. Examples could include recovering data from backup, restoring lost power or rebuilding a structure after a natural disaster.
o Contingencies: Identify backup assets and contingency plans for incidents involving extended disruptions. This could include a sudden transition to remote work, as was seen during the COVID-19 pandemic, as well as secondary business locations and backup equipment if primary facilities are destroyed.
o Action items: Explain any weaknesses identified during the planning process or outstanding action items that need to be followed up on. For example: the need to deploy a new data backup solution for greater protection against emerging threats such as ransomware.
o Communication: Identify the means of communicating important updates between recovery teams and to other personnel. Examples could include the use of mobile devices/text messages, intranet/extranet sites or emergency phone lines for employees to call for updates during prolonged disruptions.
o Plan review: Specify how often the business continuity plan should be reviewed and updated, and by whom.
Auditing a Business Continuity Plan
Routine review and auditing of a business continuity plan is crucial for ensuring that the information within the plan is still accurate and up to date. As new risks emerge, or business objectives change, it is necessary to revisit the plan and update those sections accordingly.
For example, only a few years ago, the threat of ransomware was not on businesses' radar. Today, it is one of the most dangerous risks to organizations, and as such, is now commonly included in BC plans across numerous industries.
But also, on a smaller level, even personnel names and contact information within a BCP can become quickly outdated when employees leave a company. So it's important to make sure every aspect of the plan is up to date.
How to Conduct Business Continuity Testing
Business continuity testing is another vital part of the planning process. Testing ensures that the protocols and systems identified in the plan are actually effective. Routine tests also help to educate recovery teams and have them walk through the steps, so they are familiar with the processes when real disruptions occur.
Business continuity testing can encompass nearly any aspect of your planning, including:
· Data backup validation and recovery tests
· Mock drills for IT infrastructure failures
· Emergency response & evacuation procedures
· Network stress tests
All tests should be thoroughly documented. Did anything go wrong? Were recovery objectives met? What improvements must be made?
Hiring a Business Continuity Professional or Consultant
Hiring a business continuity consultant can be a smart move for businesses that need an outside perspective from a professional. Experienced consultants can identify any gaps in your business continuity plan, as well as the need for additional systems or procedures.
If you plan to hire a business continuity professional, you'll want to be sure that the consultant is the right fit. Here are some tips:
· Look for a consultant with experience in your specific industry or niche
· Confirm the consultant's area of expertise; for example: IT-only or comprehensive business continuity planning
· Ask for referrals that you can contact for a deeper understanding of the consultant's quality of service
Outsourcing Business Continuity
Businesses with limited resources may want to consider outsourcing business continuity planning to an outside provider. This is a perfectly acceptable strategy for both small and large businesses, particularly if in-house personnel have little experience building a BC plan.
Even if your organization already has a BCP, outsourcing business continuity planning can help to provide an independent audit of your plan or manage specific aspects, such as your continuity technologies.
Which BCDR Vendors are Right for You?
Business continuity and disaster recovery (BCDR) vendors can help to deploy the technologies you need to maintain continuity. These solutions can include data storage, backup, cloud replication and network solutions, just to name a few.
Choosing the right BCDR vendors is much easier when you already have a business continuity plan in place. Your BCP will identify the specific technologies you need to mitigate risks and recover from a disruption. Your continuity objectives will further help to narrow down your options: if a potential data backup solution can't meet your RPO, for example, then you need to look for other vendors.
Conclusion
Developing and maintaining a good business continuity plan is essential for keeping operations running through an unexpected disruption. By adequately assessing risks and outlining strategies for prevention, response and recovery, organizations can greatly reduce the chances of a prolonged interruption to essential systems and services.