How to create an effective business continuity plan
Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional servic
Assess business processes for criticality and vulnerability: Business continuity planning “starts with understanding what’s most important to the business,” says Joe Nocera, principle in the cyber risk and regulatory practice at PwC, a professional services firm.
So the first step in building your business continuity plan is assessing your business processes to determine which are the most critical; which are the most vulnerable and to what type of events; and what are the potential losses if those processes go down for a day, a few days, or a week.
“This step essentially determines what you are trying to protect and what you are trying to keep up for systems,” says Todd Renner, senior managing director in the cybersecurity practice at FTI Consulting.
This assessment is more demanding than ever before because of the complexity of today’s hybrid workplace, the modern IT environment, and the reliance on business partners and third-party providers to perform or support critical processes.
Given that complexity, Goh says a thorough assessment requires an inventory of not only key processes but also the supporting components — including the IT systems, networks, people, and outside vendors — as well as the risks to those components.
This is essentially a business impact analysis.
Determine your organization’s RTO and RPO: The next step in building a business continuity plan is determining the organization’s recovery time objective (RTO), which is the target amount of time between point of failure and the resumption of operations, and the recovery point objective (RPO), which is the maximum amount of data loss an organization can withstand.
Each organization has its own RTO and RPO based on the nature of its business, industry, regulatory requirements, and other operational factors. Moreover, different parts of a business can have different RTOs and RPOs, which executives need to establish, Nocera says.
“When you meet with individual aspects of the business, everyone says everything [they do] is important; no one wants to say their part of the business is less critical, but in reality you have to have those challenging conversations and determinations about what is actually critical to the business and to business continuity,” he adds.
Detail the steps, roles, and responsibilities for continuity: Once that is done, business leaders should use the RTO and the RPO, along with the business impact analysis, to determine the specific tasks that need to happen, by whom, and in what order to ensure business continuity.
“It’s taking the key components of your analysis and designing a plan that outlines roles and responsibilities, about who does what. It gets into the nitty-gritty on how you’re going to keep the company up and running,” Renner explains.
One common business continuity planning tool is a checklist that includes supplies and equipment, the location of data backups and backup sites, where the plan is available and who should have it, and contact information for emergency responders, key personnel, and backup site providers.
Although the list of possible scenarios that could impact business operations can seem extensive, Goh says business leaders don’t have to compile an exhaustive list of potential incidents. Rather, they should compile a list that includes likely incidents as well as representative ones so that they can create responses that have a higher likelihood of ensuring continuity even when faced with an unimagined disaster.
“So even if it’s an unexpected event, they can pull those building blocks from the plan and apply them to the unique crisis they’re facing,” Nocera says.
The importance of testing the business continuity plan
Devising a business continuity plan is not enough to ensure preparedness; testing and practicing are other critical components.
Renner says testing and practicing offer a few important benefits.
First, they show whether or how well a plan will work.
Testing and practicing help prepare all stakeholders for an actual incident, helping them build the muscle memory needed to respond as quickly and as confidently as possible during a crisis.
They also help identify gaps in the devised plan. As Renner says: “Every tabletop exercise that I’ve ever done has been an eye-opener for everyone involved.”
Additionally, they help identify where there may be misalignment of objectives. For example, executives may have deprioritized the importance of restoring certain IT systems only to realize during a drill that those are essential for supporting critical processes.
Types and timing of tests
Many organizations test a business continuity plan two to four times a year. Experts say the frequency of tests, as well as reviews and updates, depends on the organization itself — its industry, its speed of innovation and transformation, the amount of turnover of key personnel, the number of business processes, and so on.
Common tests include tabletop exercises, structured walk-throughs, and simulations. Test teams are usually composed of the recovery coordinator and members from each functional unit.
A tabletop exercise usually occurs in a conference room with the team poring over the plan, looking for gaps and ensuring that all business units are represented therein.
In a structured walk-through, each team member walks through his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
Some experts also advise a full emergency evacuation drill at least once a year.
Meanwhile, disaster simulation testing — which can be quite involved — should still be performed annually. For this test, create an environment that simulates an actual disaster, with all the equipment, supplies and personnel (including business partners and vendors) who would be needed. The purpose of a simulation is to determine whether the organization and its staff can carry out critical business functions during an actual event.
During each phase of business continuity plan testing, include some new employees on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.
Reviewing and updating the business continuity plan should likewise happen on an ongoing basis.
“It should be a living document. It shouldn’t be shelved. It shouldn’t be just a check-the-box exercise,” Renner says.
Otherwise, plans go stale and are of no use when needed.
Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.
Prior to the review, solicit feedback from staff to incorporate into the plan. Ask all departments or business units to review the plan, including branch locations or other remote units.
Furthermore, a strong business continuity function calls for reviewing the organization’s response in the event of an actual event. This allows executives and their teams to identify what the organization did well and where it needs to improve.
How to ensure business continuity plan support, awareness
One way to ensure your plan is not successful is to adopt a casual attitude toward its importance. Every business continuity plan must be supported from the top down. That means senior management must be represented when creating and updating the plan; no one can delegate that responsibility to subordinates. In addition, the plan is likely to remain fresh and viable if senior management makes it a priority by dedicating time for adequate review and testing.
Management is also key to promoting user awareness. If employees don’t know about the plan, how will they be able to react appropriately when every minute counts?
Although plan distribution and training can be conducted by business unit managers or HR staff, have someone from the top kick off training and punctuate its significance. It’ll have a greater impact on all employees, giving the plan more credibility and urgency.
About Author
