4 Steps for Creating a Business Continuity Plan
Surviving disasters is all about planning. Find out how to prepare your business for a crisis.
Developing strategies for business growth is a cornerstone of the modern organization. Developing strategies to help avoid business loss is just as important, which means business continuity plans are critical. These documents provide detailed plans on how to keep essential operations running during an emergency in order to minimize losses.
Some organizations call these documents “disaster recovery plans.” Others use this term to refer to department-level recovery plans and use the term “business continuity plan” when discussing organization-wide plans. These organizations will have one business continuity plan and several disaster recovery plans. Regardless of the terminology that your company uses, you need a system in place for getting through a crisis.
Here are four steps for creating a business continuity plan:
1. Perform a Business Impact Analysis
The first step in creating a business continuity plan is to perform a business impact analysis. To begin, list the processes that you use to deliver your products and services to customers. Then, catalog the resources needed to power those processes. The resources often include employees, business partners, office buildings, IT infrastructure and other technology assets, and office supplies.
After completing this inventorying process, ask yourself how a crisis would impact your business. If a critical disk failure causes you to lose a week’s worth of work, would you still be able to deliver your products and services? If a fire destroys your building or your computer system fails, how long would you be able to function without it?
To answer questions like these, you need to find out how long you would be able to operate in an emergency if you were cut off from your resources. This timeframe is known as the maximum tolerable period of disruption (MTPOD). It represents how much time you have to either fix a problem or find an alternative solution. If you are unable to recover in time, you could be held liable for failing to give your customers the service or product that you agreed to provide them. For this reason, you should address legal liabilities and similar issues in your business impact analysis.
2. Prepare Specific Recovery Plans for Employees and Departments
Now that you know your MTPOD, you can set a goal for how long it will take you to recover. This is known as the recovery time objective (RTO). With the RTO in mind, you can start writing recovery plans for each department, team, and senior manager in your organization.
These plans must list all the tasks that need to get done in a crisis and assign each task to a specific person. For example, in a plan that relates to a power failure, one employee might have the task of contacting the power company. Another employee might be in charge of checking the backup generator. A third might be responsible for maintaining the lines of communication between team leaders. After they have carried out these tasks, they can move on to the second job on their lists.
If your departments contain many employees or intradepartmental groups, make sure that your plans explain the departmental chain of command in an emergency. It is also a good idea to cross-train employees in the emergency tasks. That way, if one person is absent, busy, or incapacitated, a second staff member will be able to take that person’s place.
Unfortunately, you might not be able to carry out your primary recovery plan because of some unforeseen detail or series of events. This is why you need to create a set of backup recovery plans as well. These secondary plans might assign the tasks to different people or carry out the tasks in a different order. The secondary plans might even have employees perform the tasks from an alternate location in the event that the office is out of commission.
3. Create a Battle Box
Battle boxes contain equipment and documents that companies need during emergencies. Your battle box should contain all the documentation for your business continuity plan, as well as the plans for each department and senior manager. Plus, it must include key pieces of information about your company’s IT infrastructure, such as product serial numbers. Since communicating during a crisis is important, you also need to include contact information for all your employees and outside partners.
While these business-specific items are important, don’t forget to include practical items such as a flashlight, a cellphone, a laptop, a first aid kit, and a few bottles of water. For small companies, a single battle box should be fine. If your company is large, you might want to provide battle boxes for each department.
4. Practice for the Real Thing
When it comes to your business continuity plan, practice makes perfect. Running crisis simulations as part of your training program will help you determine how well your plan will work in real life. These exercises also let your employees feel what it is like to be in an emergency. That way they will be less likely to panic if an actual crisis occurs.
Amazon, AT&T, Google, and Netflix take practice runs to the next level. They often surprise their emergency response teams by performing crisis simulations without any warning. While some businesses have in-house teams run and monitor crisis simulations, many other companies hire third-party facilitators for this job. These experts record a response team’s actions during a simulation, analyze the results after the fact, and offer suggestions about ways to improve the team’s reactions.
Besides performing emergency response drills, these professionals can help you develop your business continuity plan. Talk to your IT service provider about the ways in which an outside disaster recovery specialist can help your business.