Business Continuity Management: How to Stay Afloat During a Crisis

Are you prepared to recover from a disaster? Do you have Business Continuity/Disaster Recovery plans in place? If so, when was the last time you tested your business continuity plans? Organizations risk finding themselves in a sink-or-swim situation if not prepared. Organizations must have a Business Continuity Management process in place to reduce the risk of a negative impact.

What is Business Continuity?

The primary goal of Business Continuity Management is to allow business operations to continue under adverse conditions or, in worst cases, disastrous events. It’s a framework of appropriate resilience strategies for identifying an organization’s potential risks, exposures, and threats that could impact their operations.

There’s a wide range of business disruptions from short-term power outages to natural disasters, civil disorder, cyber-attacks, and pandemics that can have a long-term impact.

The impact of business disruptions could be traumatic to companies. The companies that survive these events are the ones that thought ahead, planned for the worst-case scenario, predetermined the potential damages that could occur, and put the controls in place to mitigate the risk.

Many businesses don’t have business continuity plans in place today. Risks can be high for organizations that don’t prepare for adverse conditions. Most companies will experience not only a significant business disruption but lose the confidence of customers, shareholders, employees, and partners, and some companies may even close their doors forever.

We can’t possibly prepare for every scenario, recent events have proved. The COVID-19 global pandemic has shaken the globe upside down, and many organizations don’t have business continuity plans. Some organizations do have business continuity plans in place, but there’s nothing in it for a pandemic scenario to help them during these times of quarantine and economic downfall. It’s an excellent time to dust off those outdated plans or develop them.

Here are the basic steps to get started or enhance your current process:

Establish the need for Business Continuity Management (BCM) process

It starts with the top-down management approach. Leadership direction must come from the highest senior levels (e.g., CEO, COO, and Board of Directors). Leadership sponsorship can help in defining the scope, objectives, policies, and critical success factors. It’s essential to bring together people who understand your core business and can make the right decisions. Then coordinate, organize, and manage the overall BCP process using a steering committee that includes (Sr. Management, key LOBs, Operations, Human Resources, Legal, Security, and Information Technology) to oversee the BCP process/project.

If you don’t have plans in place, you probably don’t have a business continuity planner in your organization. Identify someone to be a member of the core team that can lead the BCP project. The business continuity planner should be able to sell and present the BCP project to management and staff, develop a project plan, define and recommend tasks, and manage the process.

Conduct a Risk Assessment

Identify current or potential risks to the organization that can adversely affect the organization and its facilities with disruption as well as a disaster. It’s important to identify threats from both internal and external sources, including accidental and intentional. These threats should include, but not limited to, natural disasters, human-made incidents, technical disasters, or political disasters, etc. Of course, this would consist of a pandemic threat to your organization. For example, think about all that’s happened and the impact of COVID-19. Most of the employees are working from home. They are now routinely accessing sensitive corporate data over the internet from their mobile devices (corporate-approved/unapproved devices), which widens the attack vector. Once you have a prioritized list of business risks, assess those risks based on impact, and then determine what risk management controls to put in place to mitigate those risks.

Business Impact Analysis 

Identify and prioritize your organization’s critical business functions and its sub-processes. The identified business functions will keep the business afloat during a disaster. Not all business operations are essential during a crisis, so a business impact analysis must determine which has the highest impact and criticality levels if they are not available. The Business Impact Analysis (BIA) is a questionnaire approach of surveys, interviews, meetings, information gathering activities administered by the business continuity planner. Once the data is collected and analyzed, then the steering committee can leverage the results from the risk assessment and business impact analysis and define the criticality of each business function and prioritize recovery time-frames and minimum resource requirements to be in place to continue operations. The point is that you’re trying to determine how bad would it be during adverse conditions.

Develop a Plan of Action 

Leverage the results from the business impact analysis and develop a strategy to reduce the business impact that you’ve identified during the risk assessment. Begin to build & develop a plan document for each critical business function. Develop and implement recovery strategies that would minimize those risks that were predetermined. For example, will the employees work from home or a dedicated recovery facility if it’s a workspace outage? What recovery strategies do you have in place for a technical disaster? Business Continuity Planning deals with uncertainty and probability. The point is that even though organizations can’t predict whether a business interruption will happen, that doesn’t mean you can’t plan for it. You’re preparing for something that hopefully never happens, but meanwhile, you still can have actionable plans in place today for tomorrow.

The purpose of a business continuity plan document is to provide guidelines to follow before, during, and after a business disruption or disaster that may impact the business function’s ability to continue business as usual. The plan document must also cover several objectives.

The first two primary objectives should be to protect human life and protect the organization’s financial assets.

Test, Train & Maintain the Plan

The business continuity planner must pre-plan and coordinate regularly scheduled exercises. The plan document has to be up-to-date and maintained and ready for consumption at a moment’s notice. Develop an exercise strategy that does not put the organization at risk.

The approach should be practical, cost-effective, and appropriate to the organization, which ensures a high level of confidence in the recovery capability. The steering committee should determine plan maintenance activities and how often.

Tests, disaster recovery drills, and exercises should be scheduled at least once a calendar year. A company should have no confidence in plans if not tested. Planned tests/exercises are also an excellent way to socialize the business continuity plan as well; it’s a unique way to promote awareness and training to employees about business continuity.

Conclusion

If you don’t have BC/DR plans in place, it’s an excellent time to develop them. It’s not about whether are not you’ll have a significant business disruption or not, but it’s about when. Business continuity planning is usually a low priority in most organizations today, but that does not mean it is not essential and vital. Unfortunately, many organizations have to experience significant pain to understand how it could have mitigated the risk if they had planned. Is your organization prepared for a disaster?