By Michael Curtis – President of The Response Team Inc.
Why is it that your business should be thinking about a business continuity plan? Well quite simply – “stuff” happens. Sometimes that “stuff” is within our control but some of the time it is not. First of all I think that we should define a couple of terms:
A Business Continuity Plan enables critical services or products to be continually delivered to clients and endeavors to ensure that critical operations continue to be available.
The Disaster Recovery Plan is a subset, a small part of overall business continuity. It is the process of saving data with the sole purpose of being able to recover it in the event of a disaster.
A Business Resumption Plan describes how to resume business after a disruption.
These three plans are quite different from one and other. If you have questions about them please get in touch with me and I would be happy to walk you through them and the processes involved in them.
So what is this “Stuff” that I refer to? These are the hazards that we face every day and how they could impact our businesses. Generally these hazards are identified in the risk analysis (Which I will talk about later). These risks are generally broken down into two distinct groups and are identified as either natural or human caused.
Natural hazards may include the severe weather phenomenon that we are aware of, such as: severe bad weather including high winds, hail, tornadoes, hurricanes, floods, forest fires, earthquakes, epidemics, and tsunamis.
Human caused hazards can be broken down into two categories as well: intentional and non-intentional.
Non-intentional human caused hazards include: construction of failures (roads, bridges, water systems, etc.), Power or energy failures, explosions and fires, hazardous materials spills, financial issues, etc.
Intentionally caused human hazards include: civil disobedience, work action or stoppages, sabotage, terrorism, etc.
While this is just a short list, and any incident, emergency, or disaster may provide minor or significant impacts to any organization and their ability to continue business. This is why we need to have a plan in place ahead of time.
Business continuity management is not a new topic. However many people misunderstand what’s involved in business continuity management. My experience has taught me that business continuity management can actually be thought of as an umbrella. The umbrella can be thought of as the overarching and encompassing combination of the following components:
1. Risk management
2. Disaster Recovery
3. Facilities Management
4. Supply Chain Management
5. Quality Management
6. Health and Safety
7. Knowledge Management
8. Emergency Management
10. Crisis Communication and Public Relations
Do not let this list overwhelm you. The vast majority of companies do not have a solid grasp on all 10 components. So what steps can you take? What’s involved you may ask? While there are six steps in completing a business continuity plan. They include:
1. Risk Management (or Risk Assessment)
2. Business Impact Analysis
3. Business Continuity Strategy Development
4. Business Continuity Plan Development
5. Business Continuity Plan Testing
6. Business Continuity Plan Maintenance
I will go through the steps of a couple of these in this blog. The risk management staff or risk assessment enables your organization to determine:
a) What incidents can occur
b) How often they are likely to occur
c) The damage and incident is likely to cause
d) How will an incident likely affect the organization
e) How vulnerable the organization is to the hazard
Once the risk assessment is completed and we have a better understanding of the hazards that the organization may face we need to turn to the business impact analysis. The business impact analysis (BIA) is the assessment of the impact of a disruptive event on the business and the importance of that business function as it applies to your mission. In other words it will identify:
• Which business areas are critical to the your business survival
• Time imperatives on the delivery of products and services
• RTO – Recovery Time Objectives
• MTO – Maximum Tolerable Outages
• Who is involved both internally and externally in the achievement of the business objective (Dependencies)
• Minimum Resource requirements.
The BIA will assist in identifying the quantitative and qualitative impacts of a negative event:
Quantitative: Financial in nature (Sales, property loss, penalties, unexpected expenses
Qualitative: Operational or Non-Financial (Loss of Staff from this point in the process, low morale, reputation or credibility, customer relations etc.
From this point in the process we will begin to develop the strategies necessary to combat the effects of the most likely incidents to affect your organization. Once those strategies are in place we can begin to put together the plan which will help drive how you will implement these strategies if an incident were to occur in your organization.
Once the plan is in place it is important to test the plan. Testing can occur on small or large scales depending on the needs of the organization. As testing of the plan occurs your organization will soon determine what levels of maintenance need to occur on the plan.
Maintenance should occur on a yearly basis at minimum, so as to incorporate changes in your business as they occur including personnel, location, buildings affected, expansion, contraction, or changes in significant business processes.
One of the significant steps that you will notice in the process is that as you move outside your comfort zone, what was once the unknown and frightening becomes your new normal.
Our Vision: Providing you peace of mind – A sense of calm.
It is normal to be concerned and in some cases afraid of the unknowing certainties that lie ahead. With the assistance of professionals in the field of business continuity management and emergency management response, we can help bring those concerns to a manageable level. At the response team Inc. our mission is to provide you with timely, professional, and responsible direction and manpower before, during, and after an incident. It is our vision to provide you peace of mind - a sense of calm.