How to Create and Leverage a Business Continuity Checklist for Emergency Planning
This post will cover how businesses can create and leverage a robust business continuity plan checklist to improve emergency preparedness.
No one enjoys the feeling of being unprepared. Imagine for a second you find yourself back in school. You have an exam tomorrow, but you spent the entire week procrastinating and haven’t studied. You still have a few hours to cram, but there’s little hope you will remember everything. That existential sense of dread you may remember is the same feeling many leaders experience when a disaster strikes and their organization lacks a robust business continuity plan.
During business-critical events, a business continuity plan is critical to helping emergency response leaders and key stakeholders understand what to do, who to contact, how to respond, or the steps that should be taken to alleviate some of the impact. A business continuity plan also helps accelerate response times, bolstering employee safety, and protecting the company’s infrastructure. A well-developed business continuity plan serves as an emergency checklist—not unlike a study guide, but for all emergency scenarios that might occur. In this post, we discuss what makes for a useful business continuity plan checklist and how you can create one that fits your organization’s unique needs.
Why You Need a Business Continuity Plan (BCP) Checklist
A robust business continuity and disaster recovery plan should encompass all significant events that could endanger your people or interrupt business operations, including everything from a simple power outage and unplanned downtime to weather-related supply chain disruptions, natural disasters, and unexpected public health crises such as the pandemic.
Your business continuity plan should include things like how to communicate with employees (and across which channels), whether job responsibilities will need to change for the duration of the event, evacuation procedures, and more. The exact details will vary depending on your company size, industry, and complexity of your business. For instance, if you work with supply chain partners, you’ll need to include plans for how to respond to emergencies occurring at third-party sites as well as your own. Perhaps you rely on data at a backup site and need to know how to get it up-and-running again should there be an outage. Or maybe your organization depends on outside vendors to conduct business and a vendor experiences their own emergency and can’t continue operations. These are issues you need to consider when creating your business continuity plan.
Similarly, a business continuity plan (BCP) checklist outlines a set of procedures that take place before, during, and after each of those scenarios to minimize interruptions and keep things as close as possible to “business as usual.” The goal of the checklist is to improve organizational readiness and aid in your preparedness efforts so response teams can methodically execute plans step by step without overlooking any critical details.
What Your Business Continuity Checklist Should Include
According to Bob Arnold, president of Disaster Recovery Journal, the key to developing a sound business continuity plan checklist is understanding an organization’s potential risks. This could involve everything from a wildfire, to a cyber-attack, to a global pandemic. Here are the steps to get started building a checklist for your organization.
Analyze your potential threats
As Bob put it during a recent interview on The Employee Safety Podcast, “threats come at us more frequently and more violently today.” You may not be able to predict which threats will impact your locations and assets, but you can conduct a business threat assessment to ensure you will be prepared for threats when they inevitably arise.
- People impact: What are the situations that would impact your employees’ ability to work? Which people or job functions are most critical to your organization’s ability to continue delivering goods and services to customers?
- Partner impact: Which partners and service providers are you most reliant on? What is your business impact if a partner’s operations are disrupted?
- Facility impact: What are the scenarios that could cause one or more of your worksites to become unavailable? What is your backup plan if a site or region goes offline?
- Technology impact: Which systems or tools are used to deliver goods and services to customers? What systems are used to communicate and coordinate internally?
- Brand/Reputation impact: What is the financial or brand impact should your business no longer be able to operate normally? What actions should be taken to mitigate lasting damage to customers’ perception of your business?
A business threat assessment addresses both the impact and likelihood of all possible external and internal events, offering a guide for how to put your organization in the best position to respond to whatever threats come your way.
Define roles and responsibilities
Establish a chain of command so everyone knows who to turn to when a critical decision needs to be made. Be sure to include departments beyond the crisis team, including internal communications, IT, as well as any executives who may need to communicate important information to employees and other stakeholders. Don’t forget to outline secondary contacts as well in case primary stakeholders become unavailable.
Ensure emergency contact information is accurate
Make sure to have phone numbers readily available for staff as well as local police and fire departments, utility companies, and any other external organizations who may be able to help in the event of a threat. An emergency communication system capable of integrating with your HRIS can also help ensure this information is regularly updated and reflects employees’ current information.
Assign a recovery team
A recovery team should include personnel responsible for coordinating, communicating, and managing employees and stakeholders during an emergency or business interruption. The recovery team will also be responsible for actual recovery of business operations, whether it’s preparing an additional site for operation, communicating with system vendors, and updating plans as more details emerge.
Have a backup plan
Nearly all businesses today use computers to complete daily tasks, so a loss of those computer systems could mean devastation. For that reason, perform regular backups of all your computer systems and make copies of critical information either to a remote location or server. Once you back it up, make sure you also record details of how to access it. Other considerations include:
- Backup power: Consider keeping backup generators on hand in the event of a power outage so you can get your electrical systems or computers back up and running quickly.
- Alternate operations site: Set up a second physical location where business operations can still be conducted if you lose access to your headquarters. This second location should include all the same tools and systems needed to continue work as planned as well as equipment to recover the primary site.
- Essential equipment and services: Essentials include access to email, web servers, data backup sites, and any other tools your day-to-day operations require. Consider the applications and vendors you depend on, and make sure you’ll still be able to use them should an incident occur.
Establish a recovery plan
Once you mitigate a threat or incident, a recovery plan outlines how to get your business back to normal as quickly as possible. The U.S. Small Business Administration (ABA) offers helpful resources for developing a recovery plan, in addition to OSHA and DisasterRecovery.org.
Document and test your communications plan
You may not always be able to text or call every employee to communicate about a disaster or other incident. Your method of communication needs to be multichannel and should include email, Slack, social media networks, and push notifications. According to Michelle Schutte, managing director of business continuity and incident management at Charles Schwab, you also need to have a method of communications based on urgency. “You need something that really captures someone’s attention and makes them click it to go away,” said Schutte. Additionally, urgent communications shouldn’t be sent via regular, day-to-day methods such as email.
5 Steps to Creating a Business Continuity Plan
JetBlue Airways’ 22,000 employees serve millions of customers across 26 countries. The company’s business continuity plans include dozens of possible threat scenarios, ranging from severe weather to fleets getting grounded to acts of terrorism.
Not every organization will face the same threats as JetBlue, but Penny Neferis, director of business continuity and disaster response at the airline, takes an approach to business continuity that offers a good example for how every organization should handle a crisis.
Step #1: Create a team
The first step to developing a business continuity plan involves determining who will be responsible for updating and executing the plan. Business continuity and disaster recovery warrants its own team; however, the team should consider which other departments will be vital to recovery.
According to Penny, “Our small-but-mighty disaster response team [can] only work so long, and we had to learn to count on other groups to step in and help. Our teams are robust, but we felt ownership to take all emergency responses on our shoulders in the past.”
Assign one person the sole responsibility for taking charge but assign additional recovery tasks to a variety of people across each unit of the business to guarantee no department gets left behind.
Step #2: Conduct a business impact analysis
According to Ready.gov, a business impact analysis (BIA), “predicts the consequences of disruption of a business function and process, and gathers information needed to develop recovery strategies.” While similar to the threat analysis mentioned above, a BIA views threats from a cost perspective and outlines the total time it would take to recover an organization’s most important functions—including dependencies, such as people and communities. Emergencies often extend beyond the borders of an organization.
“When a crisis does happen, we look at it from three different lenses,” said Penny. “What impact does this have on our staff and crew members? What impact does this have on our customers, and what impact does this have on our community?”
Step #3: Map out your plan
Now that you have your team and you understand each threat’s impact to your business, you need to actually map out a strategy for how to keep your business running—easily the most important component of a business continuity plan. Make a list of the most critical functions to your organization as well as the disruptions that could hinder them, and develop practical recovery strategies for each scenario. Consider various “what ifs” to instill confidence among your team that they’ll be able to respond no matter the situation.
Step #4: Train and educate
You’ve completed your plan, and now you need to train your staff on it. Conduct tabletop exercises and emergency drills so everyone knows the role they will play should a disaster occur. The more “real” the event feels, the better prepared employees will be. Include key personnel and first responders and use these training sessions to identify missing aspects or weaknesses in your plan.
Step #5: Analyze and update as new threats are identified
The threat landscape evolves constantly, with new risks to business operations occurring every year. Before 2020, few organizations probably expected they would be dealing with an ongoing global pandemic, but they quickly learned to adapt. Business continuity requires both immediate and ongoing attention, and plans should be frequently analyzed and updated based on recent events and predictions.
For instance, we know climate change will continue to be a topic of discussion, and organizations need to ensure they are prepared for increasingly severe weather events. Last week, winter storms left millions of Texans without power and water for days at a time, and numerous businesses temporarily closed as a result. These types of events will continue to challenge organizations worldwide, and by updating your business continuity plans to address them, you’ll ensure a more sound and reasonable response that keeps your business thriving.
At the end of the day, business continuity planning must be fluid. But perhaps more importantly, it must also be consistent. Events will never happen exactly as you plan, but by remaining vigilant, you’ll steer clear of ‘Deer in the Headlights’ Syndrome and be prepared for any new challenges that may come your way.
Check out more information on how AlertMedia can help you build your own business continuity plan here.