What Is A Business Continuity Plan?
As much as we don’t like to think about it, emergencies happen and can wreak havoc on any company, large or small. Why? Because emergencies often lead to interruptions in standard operations and the disruption has little regard for the size of the company. They can take people and technologies offline for hours, even days or weeks during and after an emergency.
A business continuity plan outlines procedures that will take place before, during, and after an emergency to minimize interruptions and keep things as close as possible to “business as usual.”
Interruptions will vary depending on the industry, location, and employee base but some of the most common interruptions may include interference with:
- Supply chains
- Distribution channels
- Technology operations due to power outages, internet outages, or damage to hardware
- Critical machinery or equipment operations
- Employee travel and accessibility to work locations
- Employee accessibility to work-related systems, applications, and data
- Customer accessibility to storefronts, websites, call centers, or customer-facing applications
An emergency plan is not complete without a business continuity plan. The first objective for any emergency plan is to safeguard employees. The second priority is to safeguard the business. Planning for the unplanned emergency is critical to keeping both up and running. But how do you plan for the unknown? It’s not easy, but it is achievable if you take one step at a time.
What’s in A Business Continuity Plan?
The first part of any business continuity plan should be a thorough threat assessment. Every organization is faced with some common threats, such as fire, power outages, IT outages, physical threats from individuals, and cyber threats from inside and outside of the organization. Natural disasters will, of course, vary from organization to organization based on their geographical location and surroundings.
By taking stock of historical events and most-likely-to-occur scenarios, organizations can begin to develop an ongoing list of potential threats. This list will evolve as the company grows its employee base, the number and locations of additional sites, the locations where employees may travel for business, and its fleet/equipment/technology assets. Keeping this list fresh and adjusting the plan accordingly is a must.
Business Impact Analysis
Once the threat assessment is completed, a business impact analysis (BIA) should be conducted to determine how each of these threats could influence the business. Ready.gov defines it this way: “A BIA predicts the consequences of disruption of a business function and process, and gathers information needed to develop recovery strategies.”
Any business disruption can have detrimental or moderate operational and financial impact. These may include lost and/or delayed sales and income; delay in development, production and/or delivery of goods; increased expenses; customer dissatisfaction; and even regulatory fines.
Of course, the impact will depend greatly on the duration and timing of the disruption. A 30-second power outage will have less impact than a 24-hour IT outage. A fire in a remote and partially-empty warehouse will be less of an interruption than a fire in an active manufacturing facility. By analyzing different possible scenarios, an organization can be better prepared to handle the emergency and to bring operations back online more rapidly.
This analysis should be reevaluated regularly as new threats arise.
Once you’ve identified your threats, they need to be monitored so you can react immediately in the face of an event. Monitoring events before they strike is critical to protecting your people and brand. It allows you to recognize and to predict critical situations before they happen – giving you the benefit of alerting and organizing your audience in advance.
A business continuity plan should have at its foundation a solid mass communication strategy. In times of crises and critical events, communication is a lifeline. Being able to relay information and instructions to employees is critical in keeping employees calm and guiding them to the appropriate behavior. While some employees will only need to keep themselves safe, others may be designated as part of a skeleton crew who will be responsible for operating and/or maintaining the business and/or its vital functions.
Organizations must designate this crew of people, as well as at least one level of backups per function, and train them accordingly. These employees will become the most important contacts during and after an emergency and will require multiple channels for communication.
The types of communication channels is equally as critical as the communications themselves. An emergency communication system must be in place and should include multi-mode functionality, meaning notifications and alerts must be sent across multiple channels simultaneously to ensure every employee receives the message intended for them. They should also include two-way communication so employees can engage and contribute information.
Channels may include text notifications, push app notifications, emails, phone calls, social media posts, intranet site alerts, and in-office broadcasts. It is widely agreed that in today’s mobile culture, this multi-modal approach is the only way to ensure the affected employees receive the messages quickly, in real-time, and on the devices they are most likely to have with them. It would be completely ineffective, for instance, to send an emergency email to every employee when a portion of employees are field workers with no access to email.
Practice Makes Perfect
No emergency plan is complete without practice. This philosophy holds true for the business continuity plan. Every person in the company should have a solid understanding of what they are to do in case of specific and general emergencies. The designated skeleton crew, in particular, should be clear on their roles and responsibilities, and exactly what, when, and how the business continuity plans will be triggered.
There are three basic steps in implementing both an emergency response plan and a business continuity plan. Not all employees will be involved in both, but all should have at least a general understanding of what will happen when the emergency plan is activated. All employees should also have a current contact list of all of those who will be in authority during an emergency.
Before a company initiates a drill, it is a good idea to gather key stakeholders and decision makers together to carefully and methodically evaluate the emergency and business continuity plans. Review each step with a critical eye to ensure nothing was missed and every area of the business is represented.
Once the plans are considered complete, it’s time to educate employees. Depending on how dispersed your employees are, you may choose to conduct on-site training sessions or develop webinars where employees can watch on their own time. Because the goal is to obtain 100 percent participation, design a measurement tool that can provide a current list of employees who have and have not watched the webinar.
The next step is to practice what was learned. Scheduling regular full emergency evacuation drills is recommended. The more “real” the event appears, meaning key personnel and first responders are included in the event, the better prepared employees will be should an actual critical event occur.
Those responsible for triggering the emergency plan and those involved in the skeleton crew should walk through their respective roles during a critical event. Role playing is a successful tool that first responders often use themselves to ensure no step is missed. This role playing will also give the organization valuable insight into how the plan actually works in a “real life” scenario. Often, a plan will look comprehensive on paper but when it is practiced, weaknesses appear.
If possible, ask partners, vendors, and anyone who may be impacted by your company’s potential business interruption to be a part of the drill. They may be able to identify gaps in planning and also provide additional ‘what if’ scenarios.
Assess the Success
Practicing the plan is not the end of the process. In fact, it only provides a lens into how well (or not) the plan performed. You can gather valuable intelligence from each practiced drill and from the people involved. From the business leaders and skeleton crew to the employees who were impacted, it is important to gather feedback from every angle.
Ask questions like:
- Did every employee in every location know what to do?
- Was there any confusion, chaos, or panic during the drill?
- Were the emergency communications delivered across multiple channels simultaneously?
- What were the open rates for each mode of communication?
- Did the message communicated provide the proper level of information with instructions on where to find additional information?
- Were employees able to respond with two-way communication?
- How long did it take to trigger the business continuity plan?
- Was the designated skeleton crew able to keep operations going?
Of course, there would be dozens of additional questions as these are just a guide, but be sure to include opinions and experiences of employees. Their perception of how well the drill was orchestrated is as important as the actual results. The goal is not only to protect the employees, but to give them peace of mind that in virtually any situation, their company has their backs. Their perception is their reality and should be taken seriously.
Even though you may have designed the ideal emergency and business continuity plans, we all know things can change. In addition to changes in personnel, locations, and perceived threats, technology advancements may alter how the plan is executed. Communication channels, for instance, seem to evolve rapidly in this mobile culture. As the culture shifts in how we communicate, the plan should include the newer channels as they become more popular and widely used.
By bringing people together at least annually to review the current plan, to evaluate alternative available technologies, and to assess potential new threats, your organization will be better prepared for any situation. Planning is never a one-time event. It is ongoing and always has room for improvement. Be sure you have business continuity management processes in place to keep it at the forefront of your annual planning.
After a drill or an actual event, it is the perfect time to review lessons learned and to consider employee feedbacks. Be sure to include employees from remote locations, branches, and even overseas facilities. Every employee, whether centrally located or dispersed around the globe, should feel secure knowing their company has invested significant time and money in keeping them safe. They should know how the business will operate during and after a critical event, where they can find information and key personnel, and how they can contribute to bringing the company back into full operation.
While the resources devoted to such exercises may seem excessive, should an event occur, you will be glad you took the necessary steps to putting such a comprehensive plan in place. I doubt any organization has ever said after an emergency, “I wish we hadn’t spent so much time on our emergency and business continuity planning.”
Starting from scratch may seem daunting but if you don’t have a plan or realize how insufficient your current plan is, it’s worth the effort. Even if you have plans in place, it’s a good idea to review them regularly. Some organizations prefer to outsource their plans to companies who are focused on emergency and business continuity planning. If you prefer to do it in-house, there is great business continuity planning software available, as well as several free online resources that can get you started.
Ready.gov provides organizations with helpful tips on designing a continuity plan. It stipulates the following steps:
- Define the scope, objectives, and assumptions of the business continuity plan
- Define the roles and responsibilities for team members
- Identify lines of authority, succession of management, and delegation of authority
- Address interaction with third parties including contractors and vendors
- Conduct a business impact analysis
- Develop detailed procedures, resource requirements, and logistics for the execution of the plan and the relocation to alternate worksites, as well as data restoration
- Document all forms and resource requirements for all manual workarounds
The site also addresses how to manage incidents, from defining procedures to training and practicing the plan, to maintaining the plan through continual improvements. I would add to the government’s recommendations to include a checklist of all equipment and supplies, as well as the location of data backups. Many organizations now use the cloud to store their data instead of on-site servers. In the case of an emergency where servers would be at risk, the cloud can offer peace of mind that data is always protected. In either case, redundant backup of all data is a necessity.
Other helpful resources include:
The U.S. Small Business Administration (SBA) also provides a helpful site to help you create a disaster plan. An “Agility Recovery Solution” is offered for small businesses looking for business continuity planning tips. From step-by-step guides on how to create and maintain a comprehensive emergency management plan, to disaster recovery steps, and a checklist for creating a business recovery manual, the SBA has a wealth of information for companies of all sizes.
OSHA offers a summary of steps to designing an emergency preparedness plan for small businesses, taken from The American Red Cross’ recommendations. This site includes a checklist for business continuity planning.
Disasterrecovery.org offers a complete and rather detailed website dedicated to business continuity and disaster recovery steps. It provides a free disaster recovery whitepaper, a business continuity template, and case studies.
However you decide to build your emergency plan and/or business continuity plan, understand it will take time and involvement from many different people. Engage business leaders, key personnel, and third parties as each step of the plans are developed.
Time and resources spent on the front end will be well worth the investment on the back end when the plan is activated. As the saying goes, “it’s not a matter of if, but a matter of when.” To be prepared, you must BE prepared. It takes effort. It takes initiative. It takes time. It takes deliberate, intentional planning. But with the right plan, practiced and rehearsed, your organization will be as prepared as it can be and more likely to keep your employees safe, the lights on, and the revenue humming.