Most risk and compliance professionals already grasp the importance of business continuity planning. Pandemics, climate disasters, cybersecurity attacks, and supply chain instability tend to have that effect on this crowd.
But there’s a big difference between understanding the need for business continuity and developing an actual business continuity plan. Bridging this gap involves risk assessments, internal control remediation, and testing — with plenty of input from all parts of the enterprise along the way.
How can you start building a business continuity plan? Which steps are most important, and which ones hardest to get right? Read on to see the necessary steps in this process - after all, catastrophe is going to strike sooner or later.
1. Do a Risk Assessment Using a Business Continuity Framework
Like other risk-management efforts, business continuity planning begins with a risk assessment. The details of that assessment, however, might be more intricate than most risk and compliance professionals are used to; that’s why most organizations use a business continuity framework, such as ISO, or a NIST cybersecurity framework, to work through the risk assessment methodically.
The goal of a business continuity risk assessment is 1.) to map the organization’s business objectives to processes that support those objectives; then 2.) match those processes to the assets that support the processes. Once you understand how processes and assets support business objectives, the question becomes: “How could those assets be put at risk?”
For example, say a business objective is the timely delivery of goods and services to customers. The processes would include accepting customer orders, assuring sufficient inventory, and shipping goods from loading dock to customer. The assets would include IT systems to place orders, goods in the warehouse, and a reliable third-party shipping service.
We could identify 100 different ways those processes and assets could fail and disrupt the business. The above example is only one of many objectives and processes a business continuity plan should address. Without a framework to guide that analysis, the odds of overlooking a critical threat increase dramatically.
Download: Business Continuity Toolkit
2. Do a Business Impact Analysis
The results of the risk assessment will inform the business impact analysis (BIA). A business impact analysis takes the assets you identified that support your most critical business processes, and asks: “What would happen to those processes, and our ability to achieve our objectives, if the assets were suddenly unavailable?”
The BIA should tell you which goods, IT services, or employees are crucial to mission-critical business processes; and which risk events (power failures, hurricanes, IT system outages, pandemics, etc.) would cause the most disruption if those risks aren’t remediated.
Many companies prioritize risks to business continuity by using the risk assessments and BIA to generate a business impact score for each continuity risk; the higher the score, the more dangerous a risk is to business continuity. (Software is often used to assess risk and generate that score automatically.) Then you can develop a business continuity plan that addresses mission-critical risks first, the rest later.
3. Develop the Business Continuity Plan
The business continuity plan (BCP) can address risk in several ways. Here are a few examples:
- To avoid a shortage of critical components, for example, you might adopt a policy that specifies “When we’re down to our last 100 widgets, we order a fresh batch.”
- To avoid failures of critical IT systems, you might decide to establish backup data centers with all transactions archived to those sites every 12 hours.
- To avoid failures with critical third parties, you might maintain lists of alternative providers and have a policy to test the resiliency of those critical third parties every 60 days.
The business continuity plan should be documented and shared with senior executives and operations teams, so that everyone understands their responsibilities in the event of a disruption.
The plan also demonstrates responsible risk management to business partners, regulators, investors, and other stakeholders. The BC plan indicates that the organization has identified risks to business operations and put steps in place to keep those risks in check.
4. Communicate, Practice, and Monitor
Business continuity plans are living documents – you can’t leave it in a desk drawer to gather dust until disaster arrives. Risk managers need to put their business continuity plans to work in multiple ways.
Communicate: Circulate drafts of the plan among senior management and operations executives so all stakeholders know what it includes. Ask for feedback: What might the plan overlook, or which proposed mitigation steps aren’t practical? When the plan is finalized, share it with everyone in key roles to helping the organization endure a disaster.
Practice: Hold table-top exercises or drills of possible disasters at regular intervals. You might even hold table-top exercises for each draft of the plan, so risk managers can see what ideas will or won’t work in practice. The goal in stepping through the plan and response is to train key employees on their roles during a crisis, and to test the plan for weaknesses.
Monitor: Risks to business continuity will evolve. Resources may become more or less scarce, service providers may merge or go out of business, reorganizations send key employees into new roles, etc. Just like any other risk management, third-party and other risks should be assessed on an ongoing basis, and the BC plan should be updated as necessary.
Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” This doesn’t need to be the case in business. Business continuity plans take time, effort, and collaboration, but they can guide your organization through disaster — and they’re far better than the alternative of having no plan at all.