Maintaining stable business operations is key to keeping up with competitors and potentially surging past them when disruptions occur. Given the growing number of risks companies face today, businesses will continue to face ever-changing disruptions, and quickly acting on them requires having a solid business continuity plan (BCP) in place. Is your organization prepared to respond to the myriad of threats that have arisen in recent years?
Consider our evolving climate. From the floods in Europe and China during the summer of 2021 to the wildfires and drought that have come to characterize summers in Australia and the western United States, all corners of the world have experienced extreme weather events. Businesses must now prepare for the unexpected — a week-long deep freeze in Texas, say, or flooding in New Jersey — and the danger posed to employee safety, physical assets, and day-to-day business operations during these events.
But those aren’t the only byproducts of environmental change. New studies and analyses suggest that ongoing environmental harm caused by human development and activities is reducing our biodiversity and increasing the likelihood of future pandemics — and the COVID-19 pandemic has taught us just how disruptive that can be, particularly for globalized business operations. Supply chains have been upended and the digitization of workplaces accelerated. Indeed, an INTERPOL report documented a sharp rise in cyber-attacks against large corporations, governments, and critical infrastructure as the pandemic forced organizations to quickly move operations online.
These threats are unlikely to dissipate, further elevating the importance of business continuity plans to organizations’ success.
How did business continuity plans come to be?
Before the details of a business continuity plan can be figured out, there must first be alignment around what it even is. Some believe it’s synonymous with a disaster recovery plan, but a disaster recovery plan is actually a component of a BCP. Business continuity plans initially were born out of a need for disaster recovery planning in the early 1970s. At the time, financial companies needed to store backup records away from computers, and recovery efforts were generally the result of disasters like fires and floods. The emphasis was on IT protection, which continued in the 1980s with the proliferation of commercial recovery sites for computer services. Globalization began to ramp up in the following decade as access to data became easier, facilitated by more complex computing systems.
That complexity prompted organizations to think more holistically about risks that could affect the smooth delivery of their goods and services. Instead of a reactive response — planning what happens after a disaster occurs — businesses began to take a more proactive approach. What could they do in advance, and what was the landscape of threats to navigate? Soon, businesses began to expand their thinking beyond IT recovery. How would they respond if a key vendor could no longer provide its service or product? What if there was a regional infrastructure outage, an active shooter situation, or a tornado that damaged critical facilities?
With the universe of harms realized, organizations understood that a more expansive plan was necessary, and business continuity meant integrating elements of disaster recovery planning but also emergency preparedness and crisis management.
How to create a business continuity plan
Assemble your team
The first step when preparing a BCP is identifying who needs to lead, create, and execute it. It’s best when the effort can be spearheaded from the top, such as at the board or executive level. Leadership buy-in sends a strong message throughout the organization that business continuity is a top priority.
While the C-suite puts its support behind business continuity planning, leaders may not directly manage the initiative. Instead, senior staff from departments such as IT, HR, Communications, and Operations — whichever business units the company deems critical to the continued delivery of its products and services — should come together to hammer out the BCP. You may also want to include external parties, such as security contractors and facility or property managers. Each has intimate knowledge of their unit’s processes, tools, and personnel so they can best advise on how their department will contribute to business continuity.
Gathering this interdisciplinary team will also ensure alignment on roles and responsibilities so no one is caught off guard during a disruption, but be sure each member has an on-call resource as a backup. That way, should a disruption occur while a BCP lead is away, another subject matter expert can easily step into their role.
Conduct a business impact analysis
Once you’ve established your business continuity team, conduct a business impact analysis (BIA). Identify the risks that could affect your organization and evaluate the degree of harm each could inflict upon its operations, such as regulatory fines, unfulfilled SLAs, or loss of income. Consider surveying individual team members to learn what they believe the risks are for the specific function or process they oversee, what impacts would occur during a disruption, and what resources, tools, or processes would be needed to maintain service. Organize the impacts by priority; keeping staff safe should be the highest priority, followed by those with the greatest economic and operational impacts.
Identify recovery strategies
With your BIA in hand, you can determine the recovery time objective (RTO) for various scenarios. How much time do you have to restore operations to an acceptable level after certain kinds of disruption?
Assess your response capabilities. Questions to consider include:
- Do you have the right tools available?
- What about the right people? Who has the skills and experience to replace key staff in the event they can’t be reached?
- How do vendors and partners crucial to your business operations plan to respond to incidents that affect your products and services? Are their BCPs publicly available, or do you need more concrete or specific details?
Weigh the cost of the impact against the cost of the recovery strategy and decide between your options.
Develop a plan
Build a business continuity plan around your chosen recovery strategies and the teammates, partners, tools, and processes that will be needed to implement it. Benchmark your draft plan against others in your industry.
Before obtaining final approval of your BCP, share it with a diverse group of stakeholders to ensure perspectives you may have missed are addressed. For example, the RTOs you established may not be realistic. Adjust accordingly, seek executive sign-off, and once finalized, promote your BCP internally and externally. You want to show the value of your business continuity program.
While many typically focus on return on investment (ROI) in terms of fiscal metrics, Regina Phelps, an internationally recognized emergency management and continuity expert, recommends guiding the conversation towards VOI or value on investment. First coined by technology research and consultancy Gartner, Inc., VOI refers to the intangible assets that contribute to a company’s performance. Those assets could include improved staff skills, better execution of company processes, a sharper competitive edge, and hardier business resilience — so-called “soft” investments that strengthen an organization.
Lastly, ensure your BCP is readily accessible and regularly updated. If your network goes down, for example, can employees find the BCP through a mobile app? Do you have a unified critical event management (CEM) platform like Everbridge that syncs information like new contact information and staff as they change over time?
Regularly test your business continuity plan
Train your staff on how to execute the BCP and perform mock drills to test its efficacy. New threats are bound to crop up, and business processes are subject to constant revision, so it’s important to ensure that your BCP can respond to these. Evaluate it regularly — you may even want to bring in an external, certified business continuity professional to assist in its review.
Secure your digital transformation
The through-line in contemporary business continuity plans is digital transformation. Organizations today work best on a single platform that allows teams to communicate as one. Redundant tools risk creating silos and, worse, offering conflicting information.