When it comes to protecting your business, department-level business continuity plans make a critical difference.
Achieving true resiliency at an organization depends on its being robustly prepared in three areas: crisis management, IT/disaster recovery, and business continuity. The last of these—business continuity—is often the last area to be fully implemented.
If your organization lacks sound plans to ensure it can carry on its business processes after a disruption, your company is as stable as a two-legged stool. Protecting your business processes is critical to your survival.
Related on MHA Consulting: The 6 Tasks Every Emergency Plan Should Address
We’ve been talking a lot lately in the blog about mock disaster exercises (here, here, and here). Building off of those posts, I thought it might be worthwhile to look more closely at when these exercises should include departmental business continuity plans and what they should entail.
Whether using tabletop or full-interruption exercises, mock exercises (whether IT or non-IT based) are where we practice our recovery plans and the strategies that we have put in place to ensure that they will actually work when needed.
Today, we’re going to look more closely at the contents of the business continuity plans—the plans meant to allow you to keep your business processes going in the face of a disaster, or at least to quickly recover them. These are the plans used by non-IT departments for their actions. Remember, recovery is about more than just making sure applications and systems are available.
As I suggested above, business resiliency is a three-legged stool. The three legs are crisis management (CM), IT/disaster recovery (IT/DR), and business continuity (BC).
If you don’t have all three of these, your program will fail.
Winning the IT side of an emergency will do your organization no good if the departments that IT exists to support are out of commission.
In today’s post, we’ll set out what makes an effective recovery plan at the business recovery or process level so that it works to protect your business.
What do the plans for each department need to include to ensure that department can land on its feet in the event of an outage or emergency?
Read on to find out.
In devising recovery plans for any department, the first thing to keep in mind is, the plans you write have to be adequate for the four types of emergency events.
What are the four types of events to consider when it comes to protecting your business? They are:
Note that I didn’t say you need to plan for every bad thing that could happen. You don’t. Instead, you plan in terms of categories of events. For example, it does not matter if the reason for your loss of building is a fire, flood, or safety issue, the impact is the same. I’m sure you can see how this makes sense. I hope you can also see how it will make your life easier.
An important note, these plans are not intended to replace emergency action plans related to health and safety (e.g., evacuation or medical emergency). These start after any safety type of event is stabilized.
Consider organizing the plan by event category with the event-specific actions grouped together. While the steps for the department’s plans for the different types of events will include a lot of overlap, usability is the most important aspect of a plan. Don’t worry about some repeat information if that makes the plan easier to use.
Once you begin thinking in terms of the four types of events, you can start analyzing the risks and impacts associated with each.
A good approach is to identify the top four or five risks or threats you will face under each of the four types of emergency events.
Ideally, you won’t be starting from scratch in developing this information. You should already have identified the major risks in the course of conducting your business impact analysis (BIA) or threat and risk assessment (TRA).
Note that the impacts we’re looking at are not necessarily those affecting the organization overall but those which threaten the department’s ability to carry out its business functions.
The focus here is not on computer applications but on equipment, people, the new location, changes to how processes are performed, customer access to the new location, communication with external parties, and any documentation needed.
It’s important to think about these matters in a high degree of detail. Are there special tools your people need to perform their jobs, such as special headphones or appliances?
This is all part of the risk and impact assessment of your business processes, and of your working out how you are going to continue performing those processes after each type of emergency event.
Next, you need to start thinking about dependencies.
Dependencies in this case means things or other people and third parties you need in place in order for your recovery plans to be executable.
You can plan all you want but if you haven’t made the preparations necessary for your plans to work, you’re still out of luck. These preparations can make all the difference in protecting your business processes.
Think of the recovery plan itself as being equivalent to taking your cell phone when you go on vacation. The dependency is the charger you need to keep your phone powered up. No charger will eventually mean no power and no phone. Better bring your charger! And you better make sure you think about and cover for the dependencies you need to make your plans workable.
Here are the main three types of dependencies to think about:
The next thing to look at in devising your business recovery plans is the actions that must be taken. These can be divided into three types: Immediate, Containment, and Recovery. We’ll take a closer look at each below.
Immediate Actions. These are the actions that must be taken right away to protect people and property (assuming first responders have already been summoned, if necessary).
Containment Actions. These are the steps that must be taken to reduce further damage or impact from the event.
Recovery Actions. These are the actions that must be taken to move the department back toward normal operation. Note that some recovery actions would be performed for every type of event; others would only be performed in the case of particular events or impacts. The following are steps to be taken in regard to recovery actions:
The last major element of your business recovery plans is your reference information. This is the information you might need at some point in the process that isn’t included elsewhere in your plans. The point is to save people from having to try to remember these details in the heat of an emergency (and possibly forgetting some). This may be a reference to the information’s location or a copy as part of the plan in the appendix.
The following are documents that are typically included in this group of resources:
In some respects, business continuity plans are the plans that time forgot. Many organizations don’t believe they are needed in today’s technology-driven environment, focusing instead on crisis management and IT/DR. Don’t make this mistake. Follow the suggestions given above to make sure your company will be able to continue or quickly resume its critical business processes in the event of an emergency. Being well-prepared in terms of BC, CM, and IT/DR is the key to achieving true organizational resiliency.
For more information on business continuity planning and other hot topics in business continuity and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: