When Emergencies Strike, What Is Your Business Continuity Plan?
Effective business continuity planning begins with understanding risks, dependencies, and knowing how to prioritize your emergency response in the event of a disaster. In this guide, we’ll walk through everything you need to know to reduce financial losses, recover faster, and, most importantly, keep your people safe, informed, and connected if disaster strikes.
What Is a Business Continuity Plan (BCP)?
A business continuity plan outlines business processes that will take place before, during, and after an emergency to minimize interruptions and keep things as close as possible to “business as usual.”
As much as we don’t like to think about it, emergencies happen and can wreak havoc on any company, large or small. Why? Because emergencies often lead to interruptions in normal business operations, and these disruptions—large and small—can create long-term issues for human resources, information technology, and other business stakeholders when organizations’ emergency response plans—or those of their providers—are inadequate. They can take people and technologies offline for hours, even days or weeks, during and after an emergency.
The nature and impact of interruptions will vary depending on your industry, business locations, number of employees, and exposure to various types of threats. Some of the most common interruptions may include interference with:
- Supply chains
- Distribution channels
- Technology operations due to power or internet outages, cyberattacks, or data center failures
- Critical machinery or equipment operations
- Employee travel and accessibility to work locations
- Employee accessibility to work-related systems, applications, and data
- Customer accessibility to storefronts, websites, call centers, or customer-facing applications
A business continuity plan is an important component of risk management and emergency response. While the first objective during any crisis is to safeguard employees, the second is to safeguard the business. Planning for an unplanned emergency is critical to keeping both up and running. But how do you plan for the unknown? It’s not easy, but it is achievable if you take one step at a time.
Business Continuity Planning: What to Include
Your business continuity plan should include all of the information necessary to coordinate an effective response to any emergency or crisis event. Typically, a BCP will include each of the following:
- A comprehensive risk assessment
- A business impact analysis for each risk type
- A process for monitoring and detecting relevant threats
- Documented recovery time objectives
- Communication strategy & procedures
#1 Risk Assessment
The first part of any business continuity plan should be a thorough risk assessment to document threats based on their severity and likelihood. Specific threats will vary from organization to organization based on their geographical location and surroundings. However, most organizations should have a plan for common scenarios such as:
- Severe weather
- Workplace and structural fires
- Power and IT outages
- Pandemics and other health crises
- Physical threats from individuals
- Cybersecurity threats from inside and outside of the organization
- Natural disasters
By taking stock of historical events and most likely-to-occur scenarios, organizations can begin to develop an ongoing list of potential threats. This list will evolve as the company grows its employee base, the number and locations of additional sites, the locations where employees may travel for business, and its fleet/equipment/technology assets. Keeping this list fresh and adjusting the plan accordingly is a must.
#2. Business Impact Analysis
Once the threat assessment is completed, a business impact analysis (BIA) should be conducted to determine how each of these threats could influence the business. The goal of a BIA is to document predictable consequences of various types of disruptions and their impact on personnel and critical business functions. This information is then used to develop effective recovery strategies to mitigate risks and improve outcomes.
Any business disruption can have a detrimental operational and financial impact. These may include lost and/or delayed sales and income, delays to manufacturing or development, an inability to deliver goods or meet contractual agreements, increased expenses, customer dissatisfaction, and even regulatory fines.
Of course, the impact will depend greatly on the duration and timing of the disruption. A two-hour power outage will have less impact than a two-day work stoppage resulting from a hurricane. A fire in a remote and partially-empty warehouse will be less of an interruption than a fire in an active manufacturing facility. By analyzing different possible scenarios, an organization can be better prepared to handle the emergency and to bring operations back online more rapidly. This analysis should be reevaluated regularly as new threats arise.
#3. Threat Monitoring and Detection
Once you’ve identified potential threats, you need a way to effectively monitor and assess critical events near your people and assets so you can react immediately. Monitoring events before they strike is critical to protecting your people and brand. It allows you to recognize and to predict critical situations before they happen – giving you the benefit of alerting and organizing your audience in advance.
#4. Recovery Time Objective
Once your risks have been identified and you’ve established a process for both identification and monitoring, it’s time to set goals. Establishing a Recovery Time Objective (RTO)—the maximum acceptable time for the business to be up and running following a crisis event—is a critical component of any BCP to ensure your response plans sufficiently protect the organization against long-term damages, including data loss, financial penalties, and more. This information will also have a direct impact on crisis management, risk mitigation, and communication strategy and how you prioritize response efforts.
#5. Communication Strategy
A business continuity program should have at its foundation a solid emergency communication strategy. In times of crises and critical events, communication is a lifeline. Being able to relay information and instructions to employees and other business partners is critical in keeping employees calm and guiding them to the appropriate behavior. While some employees will only need to keep themselves safe, others may be designated as part of a skeleton crew who will be responsible for operating and/or maintaining the business and/or its vital functions.
Your emergency management and business continuity teams should designate specific individuals accountable for emergency communication, as well as at least one level of backups per function, and train them accordingly. These employees will become the most important contacts during and after an emergency and will require multiple channels for communication.
Additionally, the types of communication channels are equally as critical as the communications themselves. Using an emergency communication system will help ensure notifications and alerts are sent across multiple channels simultaneously so that every employee receives the message intended for them. Remember: during an emergency, IT infrastructure may be compromised or computer systems may be inaccessible, so you should plan on using all available channels to communicate with critical personnel. Your system should also enable two-way communication so you can confirm whether messages were received while allowing employees to confirm their safety and contribute valuable information you can use to reduce downtime.
Communication channels may include text messages, mobile app push notifications, emails, phone calls, social media posts, Slack/Team messages, intranet site alerts, and more. It is widely agreed that in today’s mobile culture, this multi-modal approach is the only way to ensure the affected employees receive the messages quickly, in real-time, and on the devices they are most likely to have with them. It would be completely ineffective, for instance, to send an emergency email to every employee when a portion of employees are field workers with no access to email.
As part of your emergency response planning process, ensure you have accurate contact information for all internal and external stakeholders who will need to be notified in the event of an emergency.
Practice Makes Perfect
No emergency plan is complete without practice. This philosophy holds true for the business continuity plan. Every person in the company should have a solid understanding of business processes and what they are to do in case of specific incidents (such as a cyberattack) or general emergencies (such as fires, severe weather, workplace injuries, etc.).
The designated skeleton crew, in particular, should be clear on their roles and responsibilities, and exactly what, when, and how the business continuity plans will be triggered.
There are three basic steps in implementing both a disaster recovery plan and BCP. Not all employees will be involved in both, but all should have at least a general understanding of what will happen when the emergency plan is activated and which critical business functions will be prioritized. All employees should also have a current contact list of all of those who will be in authority during an emergency.
Before a company initiates a drill, it is a good idea to gather key stakeholders and decision-makers together to carefully and methodically evaluate the emergency and business continuity plans. Review each step with a critical eye to ensure nothing was missed and every area of the business is represented.
Once the plans are considered complete, it’s time to educate employees. Depending on how dispersed your employees are, you may choose to conduct on-site training sessions, tabletop exercises, or develop an on-demand training curriculum that employees can watch on their own time. Because the goal is to obtain 100 percent participation, design a measurement tool that can provide a current list of employees who have and have not watched the webinar.
The next step is to practice what was learned. Scheduling regular full emergency evacuation drills is recommended. The more “real” the event appears, meaning key personnel and first responders are included in the event, the better-prepared employees will be should an actual critical event occur.
Those responsible for triggering the emergency plan and those involved in the skeleton crew should walk through their respective roles during a critical event. Role-playing is a successful tool that first responders often use themselves to ensure no step is missed. This role-playing will also give the organization valuable insight into how the plan actually works in a “real-life” scenario. Often, a plan will look comprehensive on paper but when it is practiced, weaknesses appear.
If possible, ask partners, vendors, and anyone who may be impacted by your company’s potential business interruption to be a part of the drill. They may be able to identify gaps in planning and also provide additional ‘what if’ scenarios.
Assess the Success
Practicing the plan is not the end of the process. In fact, it only provides a lens into how well (or not) the plan performed. You can gather valuable intelligence from each practiced drill and from the people involved. From the business leaders and skeleton crew to the employees who were impacted, it is important to gather feedback from every angle.
- Did every employee in every location know what to do?
- Was there any confusion, chaos, or panic during the drill?
- Were the emergency communications delivered across multiple channels simultaneously?
- What were the open rates for each mode of communication?
- Did the message communicated provide the proper level of information with instructions on where to find additional information?
- Were employees able to respond with two-way communication?
- How long did it take to trigger the business continuity plan?
- Was the designated skeleton crew able to keep operations going?
Of course, there would be dozens of additional questions as these are just a guide, but be sure to include the opinions and experiences of employees. Their perception of how well the drill was orchestrated is as important as the actual results. The goal is not only to protect the employees but to give them peace of mind that in virtually any situation, their company has their backs. Their perception is their reality and should be taken seriously.
Even though you may have designed the ideal emergency and business continuity plans, we all know things can change. In addition to changes in personnel, locations, and perceived threats, technology advancements may alter how the plan is executed. Communication channels, for instance, seem to evolve rapidly in this mobile culture. As the culture shifts in how we communicate, the plan should include the newer channels as they become more popular and widely used.
By bringing people together at least annually to review the current plan, to evaluate alternative available technologies, and to assess potential new threats, your organization will be better prepared for any situation. Planning is never a one-time event. It is ongoing and always has room for improvement. Be sure you have business continuity management processes in place to keep it at the forefront of your annual planning.
After a drill or an actual event, it is the perfect time to review lessons learned and to consider employee feedback. Be sure to include employees from remote locations, branches, and even overseas facilities. Every employee, whether centrally located or dispersed around the globe, should feel secure knowing their company has invested significant time and money in keeping them safe.
They should know how the business will operate during and after a critical event, where they can find information and key personnel, and how they can contribute to bringing the company back into full operation.
While the resources devoted to such exercises may seem excessive, should an event occur, you will be glad you took the necessary steps to put such a comprehensive plan in place. It is doubtful that any organization has ever said after an emergency, “I wish we hadn’t spent so much time on our emergency and business continuity planning.”
Starting from scratch may seem daunting but if you don’t have a plan or realize how insufficient your current plan is, it’s worth the effort. Even if you have plans in place, it’s a good idea to review them regularly. Some organizations prefer to outsource their plans to companies that are focused on emergency and business continuity planning. If you prefer to do it in-house, there is great business continuity planning software available, as well as several free online resources that can get you started.
Ready.gov, which provides preparedness advice from the U.S. government, outlines the following steps for designing a continuity plan:
- Define the scope, objectives, and assumptions of the business continuity plan
- Define the roles and responsibilities for team members
- Identify lines of authority, succession of management, and delegation of authority
- Address interaction with third parties including contractors and vendors
- Conduct a business impact analysis
- Develop detailed procedures, resource requirements, and logistics for the execution of the plan and the relocation to alternate worksites, as well as data restoration
- Document all forms and resource requirements for all manual workarounds
The site also addresses how to manage incidents, from defining procedures to training and practicing the plan, to maintaining the plan through continual improvements. It would be prudent to supplement the Government’s recommendations with a checklist of all equipment and supplies, as well as the location of data backups.
Many organizations now use the cloud to store their data instead of on-site servers. In the case of an emergency where servers would be at risk, the cloud can offer peace of mind that data is always protected. In either case, redundant backup of all data is a necessity.
Other helpful resources include:
- The U.S. Small Business Administration (SBA) provides a helpful site to help you create a disaster plan. An “Agility Recovery Solution” is offered for small businesses looking for business continuity planning tips. From step-by-step guides on how to create and maintain a comprehensive emergency management plan, to disaster recovery steps, and a checklist for creating a business recovery manual, the SBA has a wealth of information for companies of all sizes.
- The Occupational Safety & Health Administration (OSHA) offers a summary of steps to designing an emergency preparedness plan for small businesses, taken from The American Red Cross’ recommendations. This site includes a checklist for business continuity planning.
- DisasterRecovery.org offers a complete and rather detailed website dedicated to business continuity and disaster recovery steps. It provides a free disaster recovery whitepaper, a business continuity template, and case studies.
However you decide to build your emergency plan and/or business continuity plan, understand it will take time and involvement from many different people. Engage business leaders, key personnel, and third parties as each step of your plan is developed.
Time and resources spent on the front end will be well worth the investment on the back end when the plan is activated. As the saying goes, “it’s not a matter of if, but a matter of when.”
Being prepared takes effort. It takes initiative. It takes time. It takes deliberate, intentional planning. But with the right plan, practiced and rehearsed, your organization will be as prepared as it can be and more likely to keep your employees safe, the lights on, and the revenue humming.