Has your organization been affected by a ransomware attack or some other type of disaster? If so, you quickly figured out that time is of the essence! Did the organization have a comprehensive and well-thought-out business continuity planning (BCP) plan defining how to handle the disruption? Or did each line of business muscle through, with some areas faring better than others?
Disasters are chaotic so you want to minimize stress as much as you can. If your organization doesn’t have a written BCP plan you can commit to starting one today. The BCP plan documents how the organization will continue to operate (who, what, where, when, and why) during a disaster. Also, how to get back to “normal” operations after the disaster.
Creating A BCP Plan
Bigstock
Some of the key steps to create a BCP plan are:
1. Identify the key risks and perform a risk assessment of the different types of disasters. From natural disasters, major power outages, cyber threats, and other potential risks. What is the likelihood of the disaster and the subsequent impact (enterprise-wide, regional, department-specific, etc.) for your organization? You can create a basic chart such as the following:
2. Perform business impact analysis (BIA). I typically create a BIA questionnaire wherein each department identifies its processes, resources, etc. Since you probably don’t have enough resources to recover everything immediately, you’ll need to prioritize and assign criticality (e.g., mission-critical, essential, and non-essential). Make sure you consider financial, regulatory, and/or legal impacts. Additional BIA info on the Ready.gov site.
3. Create a detailed BCP plan. It should contain information such as potential alternate locations, equipment/supplies needed, and contact information for critical employees as well as key vendors and customers. You may need copies of documents such as procedures, insurance policies, blank paper forms, and even a hard copy of the plan. Additional BCP info on the Ready.gov site.
There are multiple tools to create the plan ranging from Word to specific BCP software solutions. Even if you use Word, creating templates for all departments to use will keep the document consistent and facilitate collaboration. The plan needs to be easy to read and use to facilitate communications.
Bigstock
4. One of the most important steps is to review and test the plan regularly (at least annually). When testing, tabletop testing is good but more rigorous testing such as a simulation is better. If certain departments have more “mission critical” processes, they want to be confident that they can continue during an interruption. Testing is critical and has multiple benefits including:
- Testing helps you identify gaps, weaknesses, or missing/unclear information. Update the plan based on the lessons learned from testing. This is particularly important if some primary individuals are unavailable, and other “backup” individuals who don’t know the process(es) as well are required to do the work.
- Business is continually impacted by changes—some major and others seemingly minor. For example, do you have a sound process to maintain accurate contact information for your employees (especially when you have turnover)? Regular reviews of your plan such as quarterly self-certifications can help you make sure your plan is current and reflects business, regulatory, and other changes.
- Regularly reviewing the plan will help employees maintain awareness and increase familiarity with the plan (which is important during an already chaotic and stressful situation).
- Depending on your organization’s industry, you may be subject to BCP-related compliance requirements. You want to mitigate compliance risk from oversight by regulators and/or government agencies.
You will be affected by some type of disaster—yes, it’s when (and not if) the next disaster occurs. If you have a comprehensive and well-thought-out BCP plan, you’ll be poised to pivot and get through the disruption more effectively.
For more information on the benefits of having a comprehensive business continuity planning (BCP) plan, follow me on LinkedIn!