Creating Your Business Continuity Plan: What You Need to Consider

April 28, 2020

With the rapid transition to remote work, your company’s business and IT leaders have been laser-focused on basic operational needs for the moment. However, now that the emergency crunch is past, you need to make an honest assessment of how you’ve handled this crisis and begin thinking about how you can improve business continuity going forward.

The Coronavirus outbreak has been an object lesson in why your business needs a solid Business Continuity Plan. Security threats, network service disruptions, natural disasters and even pandemics are potential disruptions to your operations and livelihoods. We know now that they can and do happen with very real impacts to your organization, employees and customers.

So, where should you begin? Good question. It may seem overwhelming to anticipate every contingency, so we’re offering a framework for building a plan. Start by dividing your plan into two phases – one before and one after the event:

  • Pre-event: Business Continuity
  • Post-event: Disaster Recovery

Although, they’re often used interchangeably, business continuity and disaster recovery are not the same thing. Disaster recovery is a reactive plan for responding after an incident has occurred while business continuity is a proactive plan that prepares your organization so that in the event of the disaster, you can continue operating or get up and running quickly.

Business Continuity – Pre-Event
Here are four steps to help you develop a Business Continuity Plan:

  1. Conduct a Business Impact Analysis (BIA)

A business impact analysis identifies the financial cost impact of a sudden and abrupt loss of business functions. The BIA requires you to look at your organizations processes as a whole and determine which are most important to your bottom line. A byproduct of this exercise is that your company may decide to outsource functions that aren’t core competencies (e.g., managing your phone system), reducing overhead and offloading some responsibility for continuous operation. That said, you’ll need to make sure your vendor has their own Business Continuity Plan.

  1. Identify Dependencies & Tolerance Levels

Once you’ve run through your BIA, you’ll have identified critical functions and how they interact with various business areas in your company. Next, you’ll need to determine how long you can tolerate downtime in each critical function area before your business starts to suffer financially. You’ll also want to do this calculation considering simultaneous breakdowns across function areas. This will help you understand how a multi-faceted failure affects your time to respond and the financial impact.

In addition, you’ll want to consider responses based on the severity of the event. For example, losing access to your office in a controlled manner through a mandated quarantine requires a different response than a sudden natural disaster that physically damages your place of business with limited, if any warning.

  1. Identify Prevention Measures

Your BIA will have exposed a number of flaws your organization can shore up that will aid in stopping a companywide disaster scenario. A simple example of this is enabling emergency remote work solutions for employees, which has helped many businesses like yours continue to operate during the pandemic despite being unable to access their corporate offices. Remote work solutions also have been valuable in the past for helping companies survive hurricanes and floods that have shutdown business districts.

  1. Create a Process to Maintain Operations

A Business Continuity Plan is a long-term process for your team to follow before, during and after the disaster event. Your Disaster Recovery Plan (see next section) kicks in during and immediately after an event, but is temporary. Think of it like this: If the event is breaking an arm and going to the emergency room, then your Business Continuity Plan is the cast or sling that allows your arm to heal and return to normal. Similarly, enabling staff to work from home while the quarantine is in effect or while you look for a new office location after a natural disaster is part of your Business Continuity Plan. The objective is to move your organization through the crisis, disaster recovery phase and back to normal operations as quickly as you reasonably can.

Here are a few potential questions to ask about your ability to maintain operations:

  • If you lose access to your office location, is your team prepared to transition to a remote work scenario?
  • If your on-premises PBX fails, how will you forward calls, routing or access voicemail?
  • If your office loses power, are your communications applications, critical files and records stored in the cloud, so your company can access them?

Disaster Recovery – Post-Event
While you want to have a plan to enable continuous business operations, you also need a plan to respond and recover from an incident or event. Here are three things to consider when developing your Disaster Recovery Plan:

  1. Assign Disaster Recovery Roles

Your team will need to appoint a person in every department who will be responsible for communicating with their team and carrying out the duties assigned to their department. Ideally, you’ll want to have an individual — or even two as a backup — responsible for each area. However, if you’re a small business, you may need to double up.

One of the roles every company needs to establish is communications – both internally to employees and externally to customers, suppliers and other key stakeholders. It’s important that everyone is made aware of the emergency situation, what is being done to resolve it, what they individually can/must do (if applicable) and when the resolution is expected to be completed.

  1. Collect Contact Information

In follow-up to the previous point, emergency contact information for employees need to be documented, routinely updated and stored in the cloud, so that they’re accessible from any device with an Internet connection.

Emergency contact information includes:

  • Cell & Home Phone Numbers
  • Email Addresses
  • Physical Home Addresses
  • Employee Emergency Contact
  1. Prioritize Communications

You’ll need to decide who needs to be contacted and/or helped immediately after the disaster in the following order:

  • Employees – Your staff needs to be notified first, so they can respond according to your predetermined plan.
  • Customers – If the disaster or business interruption impacts your customers, you need to communicate with them as soon as possible to preserve your revenue stream.
  • Vendors – Any companies that supply services to your business and/or to your clients on your behalf also may need to be notified if this situation impacts them. Depending on the nature of the disaster, you may need to contact them to confirm their abilities to continue to provide service to you and your clients as was the case with the current pandemic, which has disrupted some industry supply chains. (Note: you already should know their preparedness prior to an event.)
  • Public – Depending on the nature of the disaster (e.g. a security breach) and your status (e.g. publicly held), you also may have obligations to notify the public about the situation. It may be as simple as a status update on your website, or it may require a press release. Consult a crisis communications professional to develop these plans.
  1. Publish & Practice Your Plan

Your plan will not do any good if it sits in a filing cabinet. It needs to be circulated and reviewed by all key stakeholders, so they know the details of the plan and their role. They also need to know where the updated plan lives – literally where is it stored (in the cloud is recommended) – so they can reference when needed. Since emotions will be running high if an actual event occurs, it also makes sense to run mock scenarios in which your team practices their roles. This has the added benefit of identifying gaps in the plan. Because your company structure and employees will change over time as will your response options, you should revisit these plans at least annually if not more often.

A genuinely effective Business Continuity Plan takes time and planning to create, but it’s an investment your company can’t afford not to make.

Need Help Creating Your Business Continuity Plan?

Contact a FlexIP Solutions Specialist Today!

Get Updates from FlexIP

Join our mailing list to receive the latest news, offers and tech tips from our team.

Thank You for Subscribing to FlexIP!