The Essentials of Business Continuity Planning
Whether natural or man-made, small to large-scale catastrophes can strike businesses without warning. When they do, having a well-developed business recovery or continuity plan ready and waiting reduces not only the negative economic impact, but the risk of closing down an organization forever.
A business continuity plan should always be in written form, ready to be implemented at a moment’s notice, and anticipate scenarios ranging from storms, floods and fires to massive power outages and even civil disturbances. Moreover, it should also address an organization’s economic, human-resource and technological needs. Here are some essential elements to consider when developing a comprehensive plan:
A clearly defined team
In an emergency, people shouldn’t have to wonder who’s in charge. Create a business continuity team with members in every part of your organization, in every location where you operate. These individuals will lead the local response to local events as well as the organization-wide response for both local and broader-based emergencies. They should stay involved in planning and testing throughout the year to keep the plan up-to-date and gain the familiarity they’ll need to perform under the pressure of an actual emergency. High-level support is crucial to make sure business continuity gets the attention and resources it should.
A business’ most valuable resource is its people. How will your organization evacuate, aid and instruct personnel in an emergency? If the workplace is forced to close, is there a way to maintain communication and work with employees at their homes or a remote location?
Nothing is more important than keeping people safe. Local agencies such as the Red Cross, fire department and police department, as well as federal entities, such as the FEMA Community Emergency Response Teams (CERT), can provide emergency response training and other guidance for your program. Tailor your procedures to your workforce, facilities and locations, and review and test them regularly with all employees.
A detailed plan
Think through the kind of disruptions that could occur in each place where you do business. Assume the worst, then figure out what you’d need to do to maintain your most important operations. Rank your recovery priorities in business terms such as revenue, regulatory implications, brand concerns, customer protection—whatever matters most to your organization—then map these to applications, people, facilities and equipment. Once your business continuity team has come to an agreement on this analysis (which isn’t always easy), it can start to identify recovery strategies and costs around each process. This will also help IT make sure that the most critical applications will be available to the business within an established recovery time objective (RTO) and recovery point objective (RPO).
An out-of-date or ineffective business continuity plan can be worse than none at all, giving you a false sense of security and leaving you to scramble when things go wrong. Review and update your plan at least once a year, and ideally more often than that, to reflect changes in your IT environment, business priorities, operational structure and other factors. Conduct full simulations at least annually as well, covering everything from application recoverability to crisis communications. Supplement these with frequent tabletop exercises that introduce new twists into disaster scenarios to keep you on your toes.
Effective communications can make the difference between panic and smooth emergency response. Create a toolkit that encompasses the full range of communications channels, including telecom, email, public address, intranet, IM, texting and the company website. Draft sample emergency messages in advance so they can be updated quickly during an actual emergency, and make sure you’re prepared to deliver a consistent message to the public as well through press releases, social media updates and interviews with spokespeople.
Uninterrupted access to business resources
It’s important to keep people working—not just to maintain productivity, but to protect data and make sure your customers aren’t left hanging. Remote access technologies make it possible for people to work wherever it’s safe and convenient, whether at home, in a hotel conference room, at a friend’s house or anywhere else. Organizations that already enable mobile workstyles are way ahead of the game in this scenario. Instead of having to get used to disaster mode as an entirely different way of working, people just keep using the same remote access tools they always do, just in a different physical setting.
Continuous IT operations
Datacenter continuity is the final element. Most large organizations already have more than one datacenter for scale and redundancy. If one comes offline for any reason—planned or unplanned—people should be able to switch seamlessly to another to access the same apps and data. Make sure your infrastructure can support this response in terms of rapid, automated failover, load balancing and network capacity.
How will your organization communicate with the greater outside world — including authorities, vendors and customers — if a business-interrupting event occurs? Equally important, are managers and employees well-versed in your business continuity plan? Will they know how to implement the plan when disaster strikes?
You will also need to keep an eye out for any improvements that develop for your solutions, or any new threats that may arise that your precautions are ineffective against. Develop a schedule to perform regular system checkups and improvements, and stick to it. It might just bring your business back from the brink of disaster.