BUSINESS CONTINUITY PLANNING FOR SMALL AND MEDIUM-SIZED BUSINESSES (by Tarran Dookie)
Business continuity planning (BCP) focuses on the creation of a plan or strategy to ensure that the core operations of a business can function in the event of a disaster. Disasters are unexpected events that adversely affect people or resources and threaten the continued operation of an organization. They can be natural (like floods, hurricanes or earthquakes) or man-made (like chemical leaks, fires or cyber attacks).
Business continuity planning seeks to have in place steps to take following an emergency to ensure that there is normalcy of operations (in such areas as processes, administration, IT and finance), thereby ensuring that income continues to be generated. Even in cases where income may not be able to be generated for some time, there must be a plan outlining the necessary steps that must be taken for income generation to restart.
Business continuity planning encompasses the identification of the various threats and risks, how those risks affect operations (these two aspects form the core of a Business Impact Analysis), putting in place recovery procedures and testing the procedures to make sure that they work, and constant review in light of possible changes in the operations and inherent risks. A business continuity plan must cover the recovery procedures, departmental overview, critical functions and key resources.
The value placed upon an organisation’s ability to be resilient in times of crisis is growing.More emphasis is placed upon business continuity by governments, professionals and institutions. Some contracts may not be won unless a business continuity programme is in place. The provider of the contract wants to be sure that your firm will be around to furnish the goods and services they require from you. Having a business continuity plan can be a competitive edge.
Unfortunately, many small and medium-sized organisations (SMEs) do not go beyond purchasing basic insurance as they feel the expense and effort in having something more substantial in place may not be justified. They choose not to think of possible disasters and believe that should something go wrong they can always adapt. Such an approach may work for minor incidents, but will it really work if a major event occurs?
Some owners and managers of SMEs prefer to spend money on possible growth opportunities than on business continuity programmes. However, business continuity management must be seen as an investment in the business. It ensures the survival of the business.
The amount to be expended in any plan would depend on the size of the operation, its capital base and existing contingency measures. Other factors that would come into play include: regulatory requirements, competition, tolerance of customers. At the very least the plan should encompass protection of assets, information and processes.
The plan should be clear on what is to be expected. The amount spent should bear some relevance to the risk being dealt with. Management must be convinced of the value of the plan and support it. The plan should be integrated into the business without causing undue interruption or disruption.
Employees should have a part to play in the creation of the plan and its maintenance Each employee should detail what they normally do and the critical functions of each department must be highlighted. The plan must outline concrete ways of how these functions will continue if there is a loss of resources.
A key feature of a business continuity plan is making provision for alternative resources (such as equipment or premises). If equipment is damaged, it must be known where repair or replacement can be accessed.
Contact information for customers, staff members, suppliers and other personnel important to the company’s operations must be readily available in the event of a crisis. This information has to be stored and duplicated at sites other than at the company.
The plan must include the persons responsible for ensuring that the recovery process is carried out if the need arises. Simulations exercises should be carried out to ensure that the plan is workable and that all persons understand their role.
Review and maintenance of the plan is critical. Simulation exercises may reveal flaws in the plan. Procedural, organisational and other changes may necessitate modification of the plan.
Not many organisations can afford to pay for the costs of a recovery and having insurances in place will ensure that funds are available to pay for such costs.
A review of all the threats and risks will pinpoint what must be insured. The level ofinsurance coverage must be determined. Adequate insurance is important as underinsurance would result in insufficient funds to cover the recovery effort.
It is also important that someone is appointed to gather information related to possible claims that may arise following any disaster. Liaison with the organisation’s broker and insurer(s) would ensure that the claims settlement process is as smooth as possible.
SUMMARY OF KEY ISSUES TO ADDRESS AND ACTIVITIES TO PERFORM
Purpose and scope: Define the scope and objectives of the business continuity plan.
Business continuity organisation: Define the roles and responsibilities for team members.
Identify the lines of authority and delegation of authority. Address interaction with external organizations including contractors and vendors.
Contact data: Identify various people to contact in an incident, locate their contact information at or near the front of the plan. Identify emergency notification contacts.
Business Impact Analysis: Insert results of Business Impact Analysis. Identify Recovery Time Objectives for business processes and information technology.
Business Continuity Strategies and Requirements: Insert detailed procedures, resource requirements, and logistics for 1) execution of all recovery strategies, 2) relocation to alternate worksites, 3) data restoration plan for the recovery of information technology.
Instructions for using the plan: Provide information about when and how the plan will be activated, who declares a disaster, and who should be contacted.
Notification of incident affecting the site: Information needs to be gathered before officially declaring a disaster; this includes damage assessment data and first-hand reports from staff and first responders; convene meetings as soon as possible with key emergency team members to evaluate the facts before proceeding to a declaration.
Decide on course of action: This section addresses actions to take when it becomes obvious that management needs to declare a disaster. A damage assessment can be initiated either before or after the declaration.
Checklists and flow diagrams: Assuming a situation has occurred, have steps identified to address it; these can be in the form of checklists (useful to keep track of scheduled and completed tasks) and flow diagrams that provide a high-level view of response and recovery.
Business recovery phase: This section provides instructions on recovering operations, relocating to an alternate site and related activities.
Plan review and maintenance: Describe how often the plan is to be reviewed and updated, and by whom.
Appendixes: these include lists and contact details on all emergency teams, primary and alternate vendors, alternate work space locations, and other relevant information. It is very important to keep this information up to date.