Events like market crashes or worldwide pandemics don’t happen often, but when they do, most businesses are caught off guard. This leads to mass layoffs, budget cuts, and unfortunately closing down shop either temporarily or permanently. When you take a look at businesses, especially small businesses, who can survive these types of disasters? what do they have that you don’t have? Why do they get to survive while you or your colleague’s business tank?
A lot of it has to do with not luck or good marketing, but systems and processes. Mainly, business continuity plans. This may sound unnecessary when things are going good, but nothing stays good forever. If you want to have a successful long-running business, you need to be able to weather storms, bumps in the road, and near K.O. hits.
So, what does a business continuity plan entail? You’ve come to the right place.
Business continuity usually goes hand in hand with disaster recovery. Business continuity refers to maintaining business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood, or malicious attack by cybercriminals. Questions and items to consider when creating a business continuity plan are:
– Is there a backup of your critical assets in place outside of your office?
– What plan is in place to continue working- whether that be remotely or at another office building?
– Are your critical processes documented?
– Do you have access to insurance, financial, and legal documents outside of your building?
– Who has the authority to declare an emergency or disaster?
– Do you have a plan for communicating with internal staff, vendors, and clients regarding a potential disaster or emergency?
– Who is in charge of admin tasks if the office is closed in the event of a disaster? Tasks such as collecting mail from the office, building security, and updating clients and employees on reopening dates.
These questions merely scratch the surface when creating your business’s plan, but it’s a great place to start. A vigorously tested, well-documented and communicated plan will save you from “winging it” during the recovery phase and get your business up and running quickly should disaster strike.
It sounds as though a business continuity plan is just a word document, but there’s more to it than that. Here are the other components of a successful plan:
Business Impact Analysis (BIA)
A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. Your Business Impact Analysis should be based on your size and complexity; the larger and more complex the institution is, the more detailed the list of business processes you should be reviewing in your BIA. For example, a larger institution might break out a smaller institution’s “Administrative” process out into several processes, such as “Accounts Payable,” “Human Resources,” and “Payroll.”
Examples of these business processes are administrative, marketing, accounting, IT, customer service, and compliance. Go through each one and describe any and all important processes that the given department is responsible for.
Determine acceptable downtime for your business
In the same way that you need to establish your processes, you will need to establish your timeframes for recovery. The most common three are RTO (Recovery Time Objective) RPO (Recovery Point Objective) and MAD (Maximum Allowable Downtime).
RTO- The amount of time in which your processes can be restored in the event of a disaster. RTO is defined by the length of time it would take you to restore a system or process from backup. RTO can be measured in minutes, hours, or days.
RPO- The maximum tolerable period in which your data might be lost due to a disaster or cyber attack. RPO is typically identified by the timeframe between data backup increments. RPO can be measured in minutes, hours, or days.
MAD- The absolute maximum time in which a business process can be unavailable without significant ramifications to the institution. MAD should also include the time it would take to restore a business process to full operation once the backup has been restored, including the time it would take to recreate any lost data and test the restored data for integrity. MAD can be measured in minutes, hours, days, or weeks.
Review Your Plan
Validate that the recovery times that you have stated in your plan are obtainable and meet the objectives that are stated in the BIA. They should easily be available and readily accessible to staff, especially if and when a disaster were to happen. It’s important to incorporate many perspectives from various staff and all departments to help map the overall company feel and organizational focus. Once the plan is developed, have an executive or management team review and sign off on the overall plan.
Test, and Test Often
A business continuity plan means nothing if it’s not working. It’s crucial that you test your plan often, and update items as things change within your organization.
Plan simulated disasters and reenact your plan to make sure everyone knows their part, tasks are not disjointed, and nothing is forgotten. Review the plan documents twice a year to ensure that new employees, new departments, and new applications are accounted for. That also includes updating your Business Impact Analysis if your RTO, RPO, or MAD timing changes.
Business Continuity plans are critical to your business, and if done correctly, can save you time, money, and headaches. If you need to discuss creating a business continuity plan, give us a call at (201) 796-0404