Developing a Business Continuity plan

We rarely get a head's up that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.

This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.

How Business Continuity, Disaster Recovery Plans Differ

Business continuity (BC) refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood, epidemic illness or a malicious attack across the Internet. A BC plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more.

Many people think a disaster recovery plan is the same as a business continuity plan, but a DR plan focuses mainly on restoring IT infrastructure and operations after a crisis. It's actually just one part of a complete business continuity plan, as a BC plan looks at the continuity of the entire organization. Do you have a way to get HR, manufacturing, and sales and support functionally up and running so the company can continue to make money right after a disaster?

For example, if the building that houses your customer service representatives is flattened by a tornado, do you know how those reps can handle customer calls? Will they work from home temporarily, or from an alternate location? Companies such as SunGard sell access to cubicles that include a desk, phone and computer in their recovery centers, along with server- and device-based DR services.

Note that a business impact analysis (BIA) is another part of a BC plan. A BIA identifies the impact of a sudden loss of business functions, usually quantified in a cost. Such analysis also helps you evaluate whether you should outsource non-core activities in your BCP, which can come with its own risks. The BIA essentially helps you look at your entire organization's processes and determine which are most important.

Why Business Continuity Planning Matters

Whether you operate a small business or a large corporation, you strive to remain competitive. It's vital to retain current customers while increasing your customer base — and there's no better test of your capability to do so than right after an adverse event.

Because restoring IT is critical for most companies, numerous disaster recovery solutions are available. You can rely on IT to implement those solutions. But what about the rest of your business functions? Your company's future depends on your people and processes. Being able to handle any incident effectively can have a positive effect on your company's reputation and market value, and it can increase customer confidence.

First, Create a Business Continuity Plan

If your organization doesn't have a BC plan in place, start by assessing your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, a few days or a week. This is essentially a (BIA).

There are six general steps involved in creating a business continuity plan:

1. Identify the scope of the plan.
2. Identify key business areas.
3. Identify critical functions.
4. Identify dependencies between various business areas and functions.
5. Determine acceptable downtime for each critical function.
6. Create a plan to maintain operations.

One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel and backup site providers.

Remember that the disaster recovery plan is part of the business continuity plan, so check with your IT department to ensure it has or is actively developing a DR plan.

As you create your plan, consider interviewing key personnel in organizations who have gone through a disaster successfully. People generally like to share "war stories" and the steps and techniques (or clever ideas) that saved the day. Their insights could prove incredibly valuable in helping you to craft a solid business continuity plan.

Then, Test Your Business Continuity Plan

You have to rigorously test a plan to know if it's complete and will fulfill its intended purpose. Many organizations test a business continuity plan two to four times a year. The schedule depends on your type of organization, the amount of turnover of key personnel and the number of business processes and IT changes that have occurred since the last round of testing.

Common tests include table-top exercises, structured walk-throughs and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.

A table-top exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.

In a structured walk-through, each team member walks through his or components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.

It's also a good idea to conduct a full emergency evacuation drill at least once a year. This type of test lets you determine if you need to make special arrangements to evacuate staff members who have physical limitations.

Lastly, disaster simulation testing can be quite involved and should be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies, and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine if you can carry out critical business functions during the event.