In the preceding article we explored some of the advantages in having a well-constructed business continuity plan. Now let’s examine the basic form a BCP should take and the key information it should feature.
What vital information should a Business Continuity Plan contain?
Regardless of your sector, the scale of your IT infrastructure or the risk profile of your business activities, your business continuity plan should incorporate the following information:
The Plan’s Scope
As a priority, your plan should give a detailed account of the personnel, business functions/departments, infrastructural components and supply chain elements that the plan seeks to protect.
Nominated plan ‘leaders’
The plan should make clear which individuals are responsible for executing the plan’s component parts. It should also include the names of leaders nominated to coordinate the post-incident response.
Substitute systems and recovery mechanisms
The plan should outline the solutions that will instated to substitute faulty components or services. This could include hardware, software systems or utilities. The plan should also make clear reference to the backup solutions that will be activated to restore critical systems and data.
Third-party supporting actors
Clear reference should be made to third-party agents selected for post-incident support, including hardware suppliers, software vendors, IT support partners and utility providers.
How to write your Business Continuity Plan
With the above information gathered, you can now start constructing your business continuity plan. While there are various ways to approach this, the following 5-stage process is a great place to begin and should help you devise a BCP that offers comprehensive protection across all areas of your business.
Stage 1). Carry out a Business Impact Analysis (BIA)
A business impact analysis is a process designed to quantify the effects of disruption on your business activities, and highlight the business domains, resources, systems and dependencies most critical to operational continuity. The results of the BIA are required to inform the decisions you make in the creation of the business continuity plan.
The BIA seeks to identify vulnerabilities inherent in your business domains and processes, and creates a ‘risk profile’ for each so you’re able to identify the most business-critical components of your organisation. The business impact analysis should examine the following:
· The customer interface - The service portals, contact points and delivery mechanisms your customers have direct contact with.
· Data vaults - The infrastructure used to house your business-critical data and software systems, both on-premise and cloud-hosted.
· Enterprise software – All the software programmes essential to your business activities, including the likes of inventory management tools, asset tracking software, delivery management software, workflow management tools and customer relationship managers.
· Utilities – water, electricity, internet, gas and other fuels
The data gathered from the business impact analysis will help you ascertain which processes, departments, systems and utilities are most essential to the running of your business at the most fundamental level. It can also draw attention to dependencies, allowing you to identify which components might create a chain reaction of disruption if they were to fail.
Use the results of the BIA to ‘risk score’ each element of your business, by comparing the vulnerability of each element with its operational criticality. Business components with the highest risk score (those most vulnerable and business critical) should be the top priority when introducing backup and failover systems.
Stage 2) Select backups and substitutes
Utilising the results of the business impact analysis, you can now explore and select suitable data backup options, contingency systems and substitute hardware. Think about how you’d maintain contact with clients if your phone system went down. Consider how you’d restore business-critical data following a cyber attack, and give thought to how you’d ensure service continuity following a power outage.
Draw up a list of preferred suppliers, utility providers and service providers you intend to contact for support.
Stage 3) Begin composing your Business Continuity Plan
Now that you’ve identified your business’s greatest vulnerabilities, highlighted those most critical to your operations and explored the backup and contingency services that will be executed in the event of a crisis, it’s time to insert some detail into your BCP. It’s advisable to produce a number of documents, each pertinent to a specific business department or function.
The precise formatting is not important, but it should broadly take the form of a checklist, with step-by-step instructions that are easily interpretable by your staff. Any backup or failover solutions to be implemented should be clearly specified, with checklist-style instructions for the operation of each. Continuity plan leaders should be identified by name, any plans for temporary relocation should set out in detail, and the process for acquiring and installing new infrastructure should be well defined, giving reference to suppliers where necessary.
Ultimately, each member of your team should be left in no doubt as to their role in implementing the plan, with each feeling confident enough to carry out their duties without further instruction.
Stage 4) Familiarisation
Once you’ve completed your plan, distribute the documents among your departments, ensuring each member of your team has access to the information relevant to them. Host a meeting with your team in which you introduce your business continuity plan, explain its purpose, and direct individual team members to their roles and responsibilities within it, ensuring in particular that leaders understand their critical roles. After this introductory exercise, make copies of the plan readily available to you team and encourage them to acquaint themselves with the scenarios within it.
Stage 5) Stress-test your plan
If your business continuity plan is complex – involving many actors, systems and protocols – then it’s vital to stress-test it regularly to ensure it remains fresh in the minds of your team. Nominate ‘business continuity training leaders’ and have them conduct simulated emergencies. These hypothetical scenarios can be used to evaluate the readiness of your team, using surveys and questionnaires to test knowledge of the BCP. Regular training exercises of this nature can be a great way to spot opportunities for improvement.
In business it’s foolhardy to leave anything to chance. By investing time into creating a business continuity plan now, you’ll ensure your business is able to emerge from disruptive events relatively unscathed. You’ll be able to deliver for your customers through turbulent times and add a new layer of invulnerability to your organisation.