Get The Business Continuity Operating System Book by Brian Zawada
Business Continuity Plan Components: Do You Have The Right Ingredients?
I had an aunt who was never one for following recipes. She loved to cook, particularly new fare. But she was always confounded when a dish didn’t turn out as delicious as expected. She could never quite grasp the notion that by omitting ingredients or otherwise failing to follow the recipe, she was setting herself up for potential failure.
The same concept can be applied to business continuity plans (BCPs). Neglecting key plan components diminishes the resiliency and success of your plan. Your BCPs carry a crucial function for your organization: to help you minimize risk, and maintain business services and processes in time of crisis. To support anything less than a complete plan is to jeopardize your company, your shareholders, and customers. Let’s take a look at the most important BCP elements…
Key BCP Ingredients
• Risk Assessment
No BCP should be developed without first conducting a risk assessment. This helps identify and address potential risks and threats that could disrupt services and operations, their likelihood, and expected impact. This first step is crucial in offering an opportunity to minimize or eliminate certain risks before they do become an incident.
For example: Through your risk assessment, you discover your network firewall is out-of-date and offers cyber holes for potential breaches. So, now you take the opportunity to update your software and therein diminish the threat of a data breach through that avenue.
• Business Impact Analysis (BIA)
This helps you determine your critical business functions and the level of impact to your organization should they be interrupted or lost. Without this data, you’re flying blind when you develop your plan.
• Recovery Time Objectives (RTOs)
Recovery Time Objectives are derived through the BIAs. Each business function should have an accompanying RTO. This is the acceptable amount of time your business can endure an interruption to that function without incurring damage or loss. It’s your recovery time deadline.
• Incident Response Plan
When a crisis does come down, the incident response plan is your map of actionable tactics and processes to help you effectively cope with the crisis and avoid or minimize disruption throughout the entire incident and recovery.
It’s often helpful to categorize a potential incident into three main branches:
1. Natural/weather – hurricanes, floods, severe snow storms, etc.
- Human – active shooter, theft, transit disruption, top-level management lost in shared accident, etc.
- Technical/Digital – data breach, loss of WiFi or telephone service, building ventilation malfunction, technology failure, etc.
• Emergency Communication
What good is a plan if you cannot communicate through the processes and progress? What if your default method fails? Will everyone know which alternative method to use? Do you have an alternative? Reliable and reciprocal communications are the binding ingredient of any BCP.
And again, what good is your plan if it does perform as intended? What looks great on paper, may not function well in action. Testing provides you the time and data to work out the kinks before a crisis puts your plans to the real test.
• Regular Updates
Lack of relevant and current data can weaken your BCP. What if you’ve replaced two of your key responders but failed to add their credentials to your plan? What if you’ve shortened your RTOs but failed to add the new estimate to your plan? Any out-of-date data can jeopardize your strategy.
Your complete plan should be documented and accessible to your entire enterprise, not just the key responders. Should any of those staff be unavailable or become injured when an incident hits, you’ll want to grant present personnel the ability to step in and know what to do without hesitation. Also, create both digital and hardcopies. If you lose all power, paper is all you’ve got.
Mixing it All Together
Only once you’ve implemented all the necessary ingredients can you say your BCP is complete…but is never “finished.” A complete BCP is one that is regularly updated and modified to align with enterprise, industry, and regulation changes. A whole, yet fluid BCP is your guard against disruption, damage, and loss. It’s your best pursuit towards a successful outcome.
Get resilience insights delivered to your inbox.