When it comes to protecting your business, department-level business continuity plans make a critical difference.
Achieving true resiliency at an organization depends on its being robustly prepared in three areas: crisis management, IT/disaster recovery, and business continuity. The last of these—business continuity—is often the last area to be fully implemented.
If your organization lacks sound plans to ensure it can carry on its business processes after a disruption, your company is as stable as a two-legged stool. Protecting your business processes is critical to your survival.
We’ve been talking a lot lately in the blog about mock disaster exercises (here, here, and here). Building off of those posts, I thought it might be worthwhile to look more closely at when these exercises should include departmental business continuity plans and what they should entail.
Whether using tabletop or full-interruption exercises, mock exercises (whether IT or non-IT based) are where we practice our recovery plans and the strategies that we have put in place to ensure that they will actually work when needed.
Today, we’re going to look more closely at the contents of the business continuity plans—the plans meant to allow you to keep your business processes going in the face of a disaster, or at least to quickly recover them. These are the plans used by non-IT departments for their actions. Remember, recovery is about more than just making sure applications and systems are available.
THE THREE-LEGGED STOOL
As I suggested above, business resiliency is a three-legged stool. The three legs are crisis management (CM), IT/disaster recovery (IT/DR), and business continuity (BC).
If you don’t have all three of these, your program will fail.
Winning the IT side of an emergency will do your organization no good if the departments that IT exists to support are out of commission.
In today’s post, we’ll set out what makes an effective recovery plan at the business recovery or process level so that it works to protect your business.
What do the plans for each department need to include to ensure that department can land on its feet in the event of an outage or emergency? Read on to find out.
WHAT ARE THE FOUR TYPES OF BUSINESS DISRUPTION?
In devising recovery plans for any department, the first thing to keep in mind is, the plans you write have to be adequate for the four types of emergency events.
What are the four types of events to consider when it comes to protecting your business? They are:
- Building loss. Loss of the use a facility (e.g., your office floods and you can’t use it anymore).
- Technology loss. Loss of the use of a key technology (e.g., email or critical applications go down).
- Third-party loss. Loss of an important third-party resource (e.g., a critical vendor cannot provide their products or services).
- Personnel loss. Unavailability of staff (e.g., numerous employees are out sick because of a flu epidemic).
Note that I didn’t say you need to plan for every bad thing that could happen. You don’t. Instead, you plan in terms of categories of events. For example, it does not matter if the reason for your loss of building is a fire, flood, or safety issue, the impact is the same. I’m sure you can see how this makes sense. I hope you can also see how it will make your life easier. An important note, these plans are not intended to replace emergency action plans related to health and safety (e.g., evacuation or medical emergency). These start after any safety type of event is stabilized.
Consider organizing the plan by event category with the event-specific actions grouped together. While the steps for the department’s plans for the different types of events will include a lot of overlap, usability is the most important aspect of a plan. Don’t worry about some repeat information if that makes the plan easier to use.
ASSESSING RISKS AND IMPACTS
Once you begin thinking in terms of the four types of events, you can start analyzing the risks and impacts associated with each.
A good approach is to identify the top four or five risks or threats you will face under each of the four types of emergency events.
Ideally, you won’t be starting from scratch in developing this information. You should already have identified the major risks in the course of conducting your business impact analysis (BIA) or threat and risk assessment (TRA).
Note that the impacts we’re looking at are not necessarily those affecting the organization overall but those which threaten the department’s ability to carry out its business functions.
The focus here is not on computer applications but on equipment, people, the new location, changes to how processes are performed, customer access to the new location, communication with external parties, and any documentation needed.
It’s important to think about these matters in a high degree of detail. Are there special tools your people need to perform their jobs, such as special headphones or appliances?
This is all part of the risk and impact assessment of your business processes, and of your working out how you are going to continue performing those processes after each type of emergency event.
THINKING ABOUT DEPENDENCIES
Next, you need to start thinking about dependencies.
Dependencies in this case means things or other people and third parties you need in place in order for your recovery plans to be executable.
You can plan all you want but if you haven’t made the preparations necessary for your plans to work, you’re still out of luck. These preparations can make all the difference in protecting your business processes.
Think of the recovery plan itself as being equivalent to taking your cell phone when you go on vacation. The dependency is the charger you need to keep your phone powered up. No charger will eventually mean no power and no phone. Better bring your charger! And you better make sure you think about and cover for the dependencies you need to make your plans workable.
Here are the main three types of dependencies to think about:
- Relocation dependencies. These are things such as directions and transportation needed to get people to the alternate work location, if the need arises.
- Equipment dependencies. This is the equipment that must be available in order for your recovery plans to work (such as internet access) and workstations for people to use (in the event of a relocation).
- Third-party dependencies. This is data pertaining to third parties that you might need to execute your plans and recover or sustain your business processes. This data can include names and contact information for contractors, vendors, temporary staffing agencies, and the like.
The next thing to look at in devising your business recovery plans is the actions that must be taken. These can be divided into three types: Immediate, Containment, and Recovery. We’ll take a closer look at each below.
Immediate Actions. These are the actions that must be taken right away to protect people and property (assuming first responders have already been summoned, if necessary).
- After you are sure everyone is safe and the building has been evacuated (if necessary), identify and address any issues associated with your business processes that you have to take care of in the next 30 minutes.
- Immediate actions frequently involve contacting people, such as customers, vendors, employees, or management. For example, you might need to call your top five customers and advise them of the situation, move your people to a new location, or call the bank to request a credit limit increase.
Containment Actions. These are the steps that must be taken to reduce further damage or impact from the event.
Recovery Actions. These are the actions that must be taken to move the department back toward normal operation. Note that some recovery actions would be performed for every type of event; others would only be performed in the case of particular events or impacts. The following are steps to be taken in regard to recovery actions:
- Establish how will you get to an alternate site and the first set of actions the recovery team will do when it reaches the site or work location. Don’t forget to consider what will happen when people are working from home.
- Establish ahead of time which functions are most important and restore them in that order (as dependencies allow).
- Identify and document manual workarounds as needed.
- For each business process, develop recovery steps for the risks you’ve identified, then work out how you’re going to recover that process.
- Document any operational or relocation changes.
- Based on the risks and impacts, document specific actions that are going to be taken for each business process. Don’t forget the dependencies.
- Be prepared in case primary staff is unavailable and untrained people are required to perform key recovery tasks. You might need to hold a thirty-minute training session so secondary or tertiary staff will be capable of handling these tasks. If this is a possibility, such training sessions should be included in your recovery plans. Is documentation required? See below for information on documentation.
- In cases where relocation of operations is necessary, carry out the previously identified tasks needed to achieve this objective, such as changing phone numbers and implementing alternative communication arrangements.
DON’T FORGET YOUR REFERENCE INFORMATION
The last major element of your business recovery plans is your reference information. This is the information you might need at some point in the process that isn’t included elsewhere in your plans. The point is to save people from having to try to remember these details in the heat of an emergency (and possibly forgetting some). This may be a reference to the information’s location or a copy as part of the plan in the appendix.
The following are documents that are typically included in this group of resources:
- Asset List. A list of important departmental assets such as laptops, phones, special printers, and so on.
- Process documentation and SOPs. These are the documents that explain how to perform the department’s primary operations and activities.
- Employee List. A list of departmental personnel with contact information. Might include a proposed employee work schedule for use during recovery. Such a schedule would list the various roles at the department and indicate how many employees in that role would be needed and for which times.
- Vendor List. A list of names, products or services supplied contract IDs, and contact information for key vendors.
ACHIEVING TRUE RESILIENCY
In some respects, business continuity plans are the plans that time forgot. Many organizations don’t believe they are needed in today’s technology-driven environment, focusing instead on crisis management and IT/DR. Don’t make this mistake. Follow the suggestions given above to make sure your company will be able to continue or quickly resume its critical business processes in the event of an emergency. Being well-prepared in terms of BC, CM, and IT/DR is the key to achieving true organizational resiliency.
FURTHER READING IN BUSINESS CONTINUITY PLANNING
For more information on business continuity planning and other hot topics in business continuity and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- Your BIA Action Guide: A Handbook for BIA Professionals (free ebook)
- 8 Bad Things: The Most Common Business Continuity Threats
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- The Write Stuff: How to Create and Maintain Business Continuity Documentation
- Let’s Get Critical: Identifying the Vendors You Truly Depend On
- The 6 Tasks Every Emergency Plan Should Address