Business Continuity Plan- A key to being ready always
A very common saying is “Prevention is better than a cure”. A business continuity plan (BCP) is a plan for protecting the business from any expected or unexpected disasters that might affect the business operations & customer delivery. BCP is the cheapest insurance of business. Rather than investing time & efforts in recovery after a disaster, a business continuity plan ensures that critical processes & operations continue to be available.
A Business Continuity Plan includes the following:
- Anticipating risks & risk evaluation
- Risk management & control
- Measurements & arrangements for business continuity
Who needs business continuity plans?
Every organization faces various kinds of risks that might or might not be in its control. Risks are classified as:
- Power failure
- Sabotage or cyber attacks
- Internal disputes
Non- controllable risks
- Natural disaster like flood, earthquakes etc.,
- Fire etc.
Creating & maintaining a BCP ensures that the company has enough or even more resources to aid with such a disruption & ensure continuous delivery or rapid recovery of operations. An organization with a business continuity plan is looked upon by its employees, competitors & customers for its pro-active approach. At the same time, better efficiency, confident human capital & better resource management are a few indirect benefits of having BCP.
Steps to create a Business continuity Plan!
A correct BCP is very important to run a business. Development of a business continuity plan has to follow four steps:
- Business impact analysis
- Recovery strategy
- Plan development
- Testing & trainings
# 1 Business impact analysis (BIA)
This is the first step to drawing a BCP for any organization. Disruption of the process can have a significant impact on revenue. For example, a power cut for few hours might affect production & further result in delayed delivery. A business impact analysis is conducted to identify critical processes & functions, prioritize time & identify resources available to support them at the time of need or urgency. Following are aspects of conducting a BIA:
- Identify mandatory product, services or information that must be delivered at any cost.
- After identifying the critical products & services, they are required to be ranked in the order of priority. Priority might be set post seeking information on the impact of delay in service delivery, loss of revenue & time required for recovery.
- Whether an activity requires insurance cover or not is to be determined during BIA itself.
- During BIA, management must identify the internal & external dependencies of critical product & services.
# 2 Recovery strategies
Businesses might be impacted due to machinery breakdown, delayed delivery by the supplier or disrupted IT services, etc. all organizations need recovery strategies to restore operations to an acceptable level. These strategies ensure that critical processes & operations are not disrupted.
Recovery strategies involve identification of back-ups. For instance, in case of machinery malfunction or breakdown, loss of production can be prevented by shifting the load on another machine. Back-ups might not only be internal. Dependence on third parties or relocation of processes to an alternate site may also be a part of a company’s recovery strategy.
Another important strategy is to identify staff that can telecommute. This strategy involves giving sufficient infrastructure to the employees who can work from home in case of emergencies.
# 3 Manual workarounds
Next step is to identify the team including the recovery team for a BCP. This team shall be responsible to undertake all the processes & operations including disaster recovery at the time of disruption. These team members should be experienced personnel who have complete knowledge of their responsibilities. A complete plan & process should be designed & discussed with the concerned team. The plan should include relocation, recovery, approval process, manual workouts, etc.
Manual workarounds are a part of IT plan. These layout the manual procedures that will be undertaken in case of technology breakdown. First, identify the automated processes; make a flow chart clearly defining each step involved in these processes. Further, identify the internal & external interfaces:
Internal interface: Departments, staff, other resources, etc.
External interface: Suppliers, outside contact persons, outsourced activity & resource requirements etc.
# 4 testing & trainings
A business continuity plan although well designed, will not prove to be of any use in case employees are not trained enough. For instance, in case of fire on the floor, are the employees aware of the system that would alert everybody of the danger? Are they familiar with their responsibilities & security systems? Would they be able to evacuate building timely?
Training is essential to make every employee aware of the steps to be taken in case of emergencies. Each employee needs to be informed and updated with the available security systems; procedures to be followed for life safety, etc. Evacuation drills should be conducted periodically to train staff with safety, security & other loss prevention programs.
At the same time, it is important to define responsibilities of identified staff that they are required to perform at the time of disruption. Also, rest of the workforce must be informed of these personnel & what role they have been assigned with.
Quality assurance to check the implementation
Continuous testing & assessment of any process is a key to success. Similarly, BCP should be assessed from time to time to determine whether any improvement is required & to assess its effectiveness. This is known as quality assurance and is performed at both internal & external levels to ensure effectiveness at the time of disruption of operations or processes.
Internal assessment must be either conducted at periodical intervals to review the BCP or as & when changes occur in the organization. Review is also required to check the finding & implementation after an exercise.
On the other hand, an external assessment of BCP is conducted by a consultant. These assessments verify procedures used to determine critical processes & methods, accuracy and comprehensiveness of the business continuity plans.