5 steps for developing a business continuity plan

If your business is interrupted by a loss, you’ll need more than just a strong insurance policy. You’ll need a plan. Developing a solid business continuity plan (BCP) is a great way for any organization to successfully minimize disruptions and navigate an unexpected or unfortunate event. That could include anything from losing an important team member, being affected by a flood or falling victim to a cyber breach or attack. Regardless of the industry or size of company, a well thought out BCP helps ensure key functions of your business can continue even if the worst happens. 

Here are five key steps to help you build your organization’s business continuity plan:

Step 1: Analyze your risks

This crucial first step involves thoroughly evaluating all the risks and hazards that could disrupt the business. In fact, the BCP should be developed around a “worst case scenario” with the understanding that the response can be scaled appropriately to match the actual incident. So go ahead and start by identifying all potential risk scenarios, however unlikely they may initially sound. Then, focus on scenarios that are most relevant to your business. For example, extreme weather risks tend to be geographical and not applicable to all firms, but emerging risks like cyber-attacks are relevant for all organizations, so reviewing the security of your computer network and the effectiveness of any firewalls is an important consideration in step 1.

And don’t make the mistake of overlooking your business’ more mundane, everyday risks, such as any physical or security hazards.

Step 2: Business impact analysis

In step two, assess the business impact of the disruptive scenarios that were brought to light in the initial risk analysis and calculate the various costs related to these risks. This enables you to quantify how each risk will impact your company’s service delivery and whether / for how long you can continue to operate without certain services.

The business impact analysis allows organizational leaders to develop objectives and priorities by examining potential disruptions to the company’s people, technology, infrastructure and vendors.

This impact analysis can go hand in hand with calculating your company’s business interruption limit – another important calculation we recommend your business stays on top of.

Step 3: Create a detailed response and recovery plan

Your company has already been disrupted, now it’s about protecting your organization and staff from further damage. Based on the findings from the business impact analysis, you’re now ready to create a thorough response and recovery plan. This involves implementing procedures and measures that help your business to both prevent and recover from a disruptive event. Your plan should address all the goals of your BCP, which are to:

• Safeguard lives and reduce the chance of (further) injury
• Protect assets
• Restore critical business processes, systems and activities
• Reduce the length of the interruption of business
• Protect your business’ reputation
• Control media coverage
• Maintain customer relations.

 
For example, in order to achieve these goals, the plan would include a strategy for accessing key business and customer information, handling payroll, and explaining where employees should congregate or work from if the business location is inaccessible. It would also include a roadmap of alternative ways to handle daily operations if computer systems, equipment, suppliers, employees, etc. are unreachable or unavailable. You should also develop and print a list of important contacts in case the disruption affects computers, the network or your customer-relationship management (CRM) system. This list should include employees, clients, vendors, emergency response services, suppliers, your insurance broker and your accountant.

Once you’ve created the plan, you need to assemble a BCP team to learn it, test it and roll it out when it counts. At this stage, a BCP Coordinator should be identified. This person is not only responsible for overseeing and facilitating the coordination of the BCP upon activation of the plan, but also for ensuring that:

• The plan has been created and adheres to the company’s standard
• Advanced preparations have been completed
• The plan is regularly tested (step 4)The plan is regularly maintained (step 5)

Step 4: Test the plan

Great, so you have a plan and everyone knows their role should disaster (or interruption) strike. But implementing the plan in the event of an unexpected incident is something altogether different. That’s why testing the plan is so important. You should create a simulated scenario in which one of your highest risk disruptions actually happens and then analyze how key stakeholders execute the plan. It gives teams and leaders great insight into the effectiveness of the plan and will highlight any hiccups or steps that need reworking. It’s much easier to spot problems in real time rather than in a Word document or PowerPoint presentation. The plan should be tested at least once a year.

Step 5: Maintain the plan

It’s no good sitting back and admiring your work. Your organization is constantly evolving and therefore, so is your risk. If you move offices or change computer systems, your risk profile is going to change significantly and your plan will have to be tweaked and tested accordingly. Even having a high turnover of staff in a short period of time could render parts of your original plan obsolete.

Analysis should be ongoing and you should bring stakeholders together at least once a year to review the plan and talk about any sections that might need updating. At this stage it’s as much about your attitude to risk as it is the risk itself. Having gone through the process of creating and testing the plan, you have a solid understanding of where your company may be susceptible. Now it’s all about being switched on to organizational changes as and when they happen and thinking about how they affect your risk exposures.

Preventing unexpected events is tough but planning how to react when they do happen is something that every company should do.