Anything from a small-scale incident that can be controlled with minimal impact, to larger scale disasters can destroy an organization if not properly prepared.
In the wake of the recent disaster in Japan and its widespread impact on individuals, businesses and the global economy, it's worthwhile to reconsider the need to build a more resilient organization.
What is Business Continuity Planning?
Business Continuity Planning is a comprehensive, managed effort to prioritize key business processes, identify significant threats to normal operation and plan mitigation strategies to ensure effective and efficient organizational response to the challenges that surface during and after a crisis.
When developed properly, a Business Continuity Plan reduces uncertainty and helps an organization remain in control, during the seemingly "unexpected.”
Why is planning important?
According to the Bureau of Labor Statistics, 75% of companies without an effective BCP plan fail within three years of a major disaster. Companies that aren't able to resume operations within 10 days are not likely to survive (50% will be out of business within five years).
Key elements of the planning process
Dwight D. Eisenhower was once quoted as saying that "Planning is more important that the plan". Your organization needs to consider the following key steps when creating a Business Continuity Plan:
Establish a planning committee. Assemble a small planning team that includes qualified people representing a cross-section of the organization. Having widespread involvement is critical to making sure your plan isn't built, and ultimately executed, in a vacuum.
Conduct a Business Impact Analysis (BIA). A Business Impact Analysis supports the entire Business Continuity Planning process. Businesses use the BCP process to identify hazards and assets at risk, quantify and qualify impacts on an organization of a loss, interruption or disruption and its dependencies. It also identifies the minimum level of resources required to achieve sufficient or acceptable recovery and helps establish the organizations' risk appetite.
First, explore all the risks that your organization is exposed to and the possible major disruptions that could occur. Your location, the nature of your business and could include natural, man-made and technological events can all present risks.
Then identify the impact to your business. This could be in lost production sales, casualties or loss of customers.
Based on this, determine which functions are priorities and how soon they need to be recovered (Recovery Time Objectives, or RTO).
Mitigate risk where feasible. Based on the BIA, organizations should mitigate risks that threaten the health and safety of people, operations, company assets or the environment, reducing the risk to an "acceptable level.” Risk Mitigation could include a number of strategies, covering a wide range of costs and timelines. Because no amount of planning can avoid all risk, businesses should develop continuity/recovery strategies to maintain business-critical processes.
Establish business continuity strategies. Corporate, facility and process-level strategies are necessary, including strategies for the recovery of key resources. Some examples include alternate operating sites, cross-training, use of secondary suppliers and work-at-home strategies. For all levels of the organization to embrace strategies, they must be cost effective. "Lean and mean" is the way to go.
Develop the plan. Document the analysis process and develop a plan and procedure to use if a disaster occurs. The plan should include, at minimum, roles and responsibilities, activation procedures, emergency procedures, communications and notifications and the process for training, testing and maintaining the plan. Distribute a copy of the plan to all individuals with responsibilities, with multiple copies available at current and alternate locations.
Implement and train. Identify employees who have key roles and assignments in the business continuity, disaster recovery and incident response processes. Provide training so employees will be able to carry out their duties should an event occur.
Test the plan. Testing is the generic term used to describe the critical process of exercising strategies and plans, rehearsing with team members and staff, testing systems (technology, infrastructure and administrative) to demonstrate a business continuity competence and capability. Tabletop exercises are one simple way for facilities to test various strategies.
Audit and evaluate the plan. Review the plan on a regular basis and make changes you discover deficiencies or functions/strategies have changed; then distribute revised information.
Every business is at risk, and the impact of not being prepared can be immense. Anticipating potential interruptions, planning your response and establishing strategies for business continuity will greatly minimize the negative impact to your business. Contact your HUB advisor for more information on creating a Business Continuity Plan for your business.
Todd Macumber, MBA, CSP, CIE, ARM, HUB International is President, Risk Services of HUB International Limited. You can reach him at Todd.Macumber@hubinternational.com.