Business continuity planning – surviving a disaster

Natural disasters like Hurricane Sandy and Covid-19 have underscored the need for disaster recovery and business continuity planning. According to U.S. government agencies, up to 40% of businesses fail to reopen following a disaster.

Before we delve into the components of business continuity planning (BCP), let’s clear up the confusion about the difference between BCP and disaster recovery (DR). BCP is a set of procedures that helps business organizations prepare for and respond to disruptive events. DR is the part of BCP that assumes there was an event where significant disruption to business computer systems, usually physical (e.g., earthquake, fire, etc.), has occurred. But there are events like security breaches or the sudden loss of a critical service vendor or supplier that don’t require DR but still need to be considered for BCP. 

Management has a responsibility to recover from such incidents in the minimum amount of time and the least amount of disruption to the business as possible.

Business continuity plans are required to ensure that key business functions continue operating in the event of an emergency — not just IT systems. While IT may be chosen to be the department responsible for coordination and delivery of the BCP, it is the responsibility of each division manager (HR, sales, finance, manufacturing, etc.) to own and maintain the BCP as it applies to personnel, processes and business functions within their areas of responsibility.

Business continuity planning has five major parts:

  • Business impact analysis and risk assessment
  • Recovery solution planning
  • Implementation
  • BCP testing
  • Maintaining the plan

An essential element of BCP is the business impact analysis and risk assessment. Without completing this initial first step, the rest of the plan will likely be flawed. The business impact analysis and risk assessment involves the process of identifying the critical functions necessary for the organization to continue business operations, assessing potential risks to the organization, defining and measuring controls in place to reduce exposure, and evaluating the cost of such controls. The risk-benefit analysis is the outcome of this assessment and will guide the rest of the BCP. 

Step two of the BCP, recovery solution planning, is specific to the particular situation the business unit is in. Attributes like the number of locations, distribution of personnel, lines of business, the interdependency of processes, disaster scenarios planned for, and requirements for alternative sites are all considered when creating the recovery plan. Minimally, your recovery plan should answer the following questions:

  • How do I ensure the safety and well being of my personnel?
  • Do I have a public relations communication plan (for executive staff)?
  • How do I handle payroll?
  • How do I process accounts payable and accounts receivable?
  • How do I fulfill orders (ship product)?
  • How do I take new orders?
  • How will I handle customer service?
  • How do I communicate with key management and staff?
  • Who invokes the plan?
  • What is required for training, preparation, and supplies?
  • How do I take my business back to “normal” state?
  • How will I test the plan?

Step three is the implementation of the plan. It includes training the personnel selected for the response team, preparing the documentation, collecting and storing supplies (checks, contracts, etc.), creating emergency authorization procedures and preparing the alternate worksite. Basically, you’ll be doing everything in preparation for executing the next step — testing the plan.

Step four, testing the BCP, is often viewed as too much of a disruption to business to be valuable. If you think testing is too much of a disruption to your business, imagine the chaos, impact on customer and supplier relationships, shareholder and public opinion, and impact on revenue when you encounter an event and you aren’t prepared for it. Also, it makes little sense to spend the resources on preparing a BCP if you aren’t going to test it to ensure that it fulfills the organizational requirements. The purpose of testing your plan is to ensure that your planning assumptions are correct, that the plan doesn’t have process, document or resource gaps, and that you have practice at managing through an event.

Businesses aren’t static, and neither should be your plan. As your business evolves through mergers and acquisitions, new products and new suppliers, your BCP should also evolve. Maintenance of your BCP is critical to how well your organization is prepared to handle the inevitable.