What are Business Continuity Plans?
Before we can talk about business continuity plan, first we have to talk about business continuity. Business continuity is the process of ensuring that the important services in a given company are available to those who need them like suppliers, customers, dealer, consulting firms and other important corporate entities, on a daily basis or any given contingency. These operations are not done only in times of dire straits but rather, these are the day to day activities that ensure continuation of service availability and consistency. Things that would fall within the purview of business continuity are help desk, project management and change control.
The development of business continuity plan is based on standards and policies that ensure that a company can continue its operations regardless of whatever adverse circumstances may occur. Thus, business continuity planning is the strategy taken to identify possible threats to the company’s operations and to deploy resources to prevent them from occurring. Business continuity planning then concerns with the effective and pro-active measures that are implemented before any disaster can occur. This includes a set of documented methodology to ensure that a company can continue its key operations in times of emergencies.
The Elements of Business Continuity Plan Template
The main purpose of developing a business continuity plan template is to ensure the continuity of the business operation after a disruption. Here, I will briefly discuss the elements of a sample business continuity plan template following the PPRR framework (prevention, preparedness, response and recovery framework).
Also known as Risk Management Planning, this element manages the likelihood of an incident from occurring. If the incident must occur, this also manages the effect of the risk of the incident, whatever that is.
Also known as Business Impact Analysis, it aims to identify the elements of a business that would be greatly affected by the disruption. This is closely related to Prevention as they are both pro-active responses to adversities.
Incident response planning aims to minimize the immediate impact of the incident and takes immediate actions to control it. The idea here is to contain as much of the situation as possible and avoid any further damage that it can cause.
Recovery planning aims to bring back the business unit (BU) back to tract as fast as possible after a disaster in order to prevent further losses. The main idea here is to minimize recovery time because the more time the business spends in trying to recover, the greater its chances of not re covering at all.
All the element in a business continuity plan template has to be rehearsed, reviewed and maintained so that you can test its effectivity and update things if they are rendered obsolete by new developments and lastly, so that your staff are aware of the plan. What is given here is just a general template, different organizations can come up with their own templates, as well.
The Nitty Gritty – Steps in Business Continuity Planning
For any plan to become a workable reality, there has to be detailed steps on how it should be done. Here, let me give you a detailed step-by-step guide in business continuity pl planning. Some companies will only implement their business continuity plan when disaster already sets in, but this should not be the case because by definition, it is supposed to be the steps which you undertake to ensure that business flows smoothly on a daily basis both during normal operations and during times of disaster. Here are the steps:
1. List down key personnel and their backups.
Make a checklist of personnel who are critical to your business. These are persons whose absence can really hamper the day to day operation of your business. Make sure to train a backup for these personnel because from time to time they will really be absent probably because they get sick or on vacation. In making your checklist, make sure to put all possible forms of communication, like emails, cell phone numbers and other means because you will definitely need them in times of disaster.
2. Identify those that can work from home or telecommute
With the advent of the Internet and other telecommunication technologies, it is now possible to work from home. Identify those who can do their jobs at home and make it possible for them to do so.
3. List down external contacts
External contacts include IT vendors, bank, broker, lawyers and other people who you might need when certain operational issues arise. Keep a special list of these people with their contact numbers so that you can easily call them when you need to.
4. List down key equipment
Most, if not all, companies nowadays cannot function without a computer. Make sure that you have a backup of all critical information. Some cannot operate properly without a FAX machine or a special printer. Make sure that you have a backup system when these things breakdown.
5. Identify important documents
Keep important documents like HR documents, articles of incorporation and other legal documents that might be necessary when you need to start your company all over again. You have to remember that you could be dealing with a total loss of facility and if you don’t have these documents backed up, you will have huge problems.
6. Identify equipment options and locations for contingencies
Suppose your business needs trucks like an auto transport business and the trucks are damaged by fire, where would you rent trucks to continue shipping operations? How about computer and FAX machines, do you know of other companies that rent those things out?
Suppose your location is damaged by typhoon, where would you relocate? All these things should be taken into consideration in your business continuity plan.
7. Put all things together
All your plans would be useless if they are not put together in one cohesive plan that will define the role of each person. You should have a business continuity plan document which you put together in a binder and give each of your key personnel a copy. This will also give the plan an official certification status because it is really set down rather than just scattered in many different places.
8. Communicate with your people
After you have your plan compiled, set time to communicate it to your personnel. Free up some time to make a mandatory training session to implement the plan; something similar to a fire drill. This way, your people will know what to do in any given situation.
9. Test the plan
Testing the plan can be done during the mandatory training session. Things will definitely show up that will show the weak spots of the plan. This will give you an idea as to what needs to be changed and how to change them. Remember to remain flexible because there is always something that is beyond your plan.
10. Revise the plan
As soon as new things come up that would render your plan obsolete, make sure to update it to fit the current situation. This will make you more capable in dealing with the changing needs of the company. Just remember, nothing is written in stones.
All key personnel should be given a copy of your business continuity plan. It’s also not a bad idea to keep your own because even if you are the one who created it, there is always the tendency to forget. Those who don’t need a copy of your BCP should not have it because your plan can contain sensitive information that they don’t need to know and these could leak to your competition.
Business Continuity vs Disaster Recovery – How are They Related?
Most people confuse business continuity with disaster recovery but the latter is more of a subset of the former. While business continuity is designed to make the daily undertakings of a business to continue smoothly, disaster recovery, on the other hand, is designed to respond or as a response to human or natural disasters, like a flu pandemic. Specifically, disaster recovery focuses on the IT infrastructure that supports a given business unit (BU).
So why is disaster recovery important? Well, for the most part it is because IT infrastructure has become more and more important to businesses and to the economy as a whole. Disaster recovery ensures that these infrastructures continue their operations unhampered or to recover fast in case they really break down. Studies have shown that businesses that don’t have a sound disaster recovery plan (and this is true to most small businesses), 43% of which close and never reopen after a disaster, 53% close after 2 years of major data loss and only 6% survive for a long time. This being the case, most companies nowadays would invest 2% to 4% of their IT budget to disaster recovery planning because they believe that they would spend more if they are caught unprepared by a disaster.
Broadly, disaster can be classified into two and both of which can have devastating effects on IT infrastructure. The first is natural disasters like; hurricanes, typhoons, earthquakes and tsunamis. These are difficult to predict and thus preventing natural disaster is also difficult. To mitigate its effects, careful planning, which includes mitigation measure that should be in place to prevent or reduce loss when it happens. The second is man-made disasters which includes infrastructure failure, hazardous material spills, and bio-terrorism. In this case, monitoring or surveillance and mitigation planning are the most valuable tools to reduce their effects.
To reduce or eliminate the effects of a disaster, control measures need to be in place. These are mechanisms that ensure the reduction or eliminates the threats to the organization. These are:
1. Detective measures
Detective measures are the measures designed to recognize impending disaster. This could include software that can detect threats in a given IT infrastructure.
2. Preventive measures
This is closely related to Detective measures. Preventive measures include routinary measures that prevent IT infrastructures from breaking down. Examples of these include redundant system backup and system integrity checking. Doing this will ensure that systems are in good working condition.
2. Corrective measures
Corrective measures are measures taken to restore or correct a system after a disaster has taken place. This type of measure will ensure that the system will immediately come back to operation in the quickest possible time.
Strategies for disaster recovery vary from company to company as their corresponding realities also vary. The best thing to do for a company’s disaster recovery planner is to refer to the business continuity plan and check what are the various business processes that the company operates and map them with the IT infrastructures that run or back them up. For example, the payroll system is backed up by a database server so this too must be mapped together so that employees will not experience delays on their salaries.
What Should You Look for in a Business Continuity Planning Software
Business continuity planning is not an easy task, in fact, a lot of people in charge of this will turn to business continuity planning software to make their task easier. The problem is, there are types of software that have too high a learning curve that instead of helping you create a logical plan, it instead hampers you from accomplishing your goals.
Now you have to remember that you have to pay for the software and if it defeats the purpose then, you are wasting company resources. So how exactly do you choose a business continuity planning software? What are the things that you have to look for? Here are some tips:
Should a business continuity planning software really make things as complicated as it should be? As already mentioned, business continuity planning is already complicated as it is and a planning software is suppose to make the task easier. At a stroke, the software should remove the complexity involved in the task and help the planner do what he does best and that is to plan things out.
2. Ease of use
Along with simplicity, ease of use should come. A planning software must make use of existing graphical user interface and associated pointing devices so that at a click, a plan template is generated. Although cryptic commands are fun to use for programmers, business continuity planners don’t have any use for it. They should be given a user-friendly working environment.
3. Must be comprehensive
Although simplicity and ease of use are primary consideration for a planning software, it must be comprehensive enough to take every variable into the plan template that it generates. It must not be too simple to be useful. It must cover business impact analysis after an incident up to the point wherein business can return to its footing. In fact as software must allow constant updating of plans.
4. Must be stable
As already mentioned, the software must allow for constant updating of plans. Now this is a strenuous activity for any software and if it is now stable enough, it could crash possibly taking all saved data into oblivion. A good planning software therefore must be rock solid in order for it to be useful. You can just imagine the frustrations that you would feel if a software will crash on you when you are just about halfway into the planning process.
All these elements must be present in a business continuity planning software, otherwise, it is just a waste of time and money. A software that makes business continuity planning more complicated than necessary is not worth the company’s dime because it is suppose to help in making the planning process easier.