Bad news is seemingly dominating the nightly news headlines. Disasters appear to be everywhere we turn. When a disaster such as a data breach occurs, it''s incredibly stressful and chaotic. Things need to be decided and done quickly or all of the organization''s data could be permanently lost. Note: It''s not IF a disaster will occur, but WHEN a disaster will occur. Does your organization have a written business continuity planning (BCP) plan defining how to handle the disruption?
Creating a documented, comprehensive, and tested business continuity plan and IT disaster recovery plan before the next disaster occurs is crucial. Otherwise, employees are forced to muscle through the best they can, and there is a good chance that critical tasks will inadvertently not get done or be much harder than normal.
If your organization doesn''t have a written BCP plan, here is a framework you can use to create a basic BCP plan, and then continue to enhance it.
How To Create A Business Continuity Plan (BCP)
1. Identify the key risks '' incident (i.e. cyberattack, pandemic, active shooter), outage (such as a power failure), and natural disasters (i.e. tornado, wildfire, earthquake). Do a risk assessment to determine the probability of occurrence (high, medium, low) and impact (enterprise-wide, regional, department-specific, etc.)
2. Take the risk assessment and do a business impact analysis (BIA) to determine how the organization would be impacted. Create a BIA questionnaire for each department to identify things such as potential lost income, outsourcing expenses, regulatory penalties, etc. Additional information can be found here.
3. Use the BIA information to create the business continuity planning (BCP) plan. There is specific software you can purchase, but if you''re just starting out, I''ve created BCP plans using Microsoft Word. Additional information can be found here.
- Create a separate 'chapter' for each department, and have IT create a disaster recovery plan.
- Identify technology systems/applications and classify them based on quickly they need to be up and running (mission-critical, essential, non-essential).
- Identify employees who are critical and non-essential as well as have skills that can be used in other departments and speak different languages.
- Identify if there are any critical vendors or VIP customers that need to be notified.
- Other resources (e.g. hard copy plan, desktops/laptops, other equipment, forms, supplies, etc.) that will be needed especially if you''re resuming operations at an alternate location.
- Don''t forget to create a communication plan.
- Who can declare a disaster? Talk with the press?
- Make sure employees know what to do.
- Have a special phone number employees can call to hear instructions (to report or not); have call info on a business card and distribute to employees; and/or purchase a system (such as Everbridge) to make outgoing calls/texts (will need up-to-date contact info).
4. The BCP plan should be reviewed at least annually. Departments should update their section of the BCP plan whenever the business changes (a new process or service), there is a new regulation, etc.
5. Test the plan at least annually and minimally via a tabletop exercise. This gives departments the opportunity to gather lessons learned and update their plan for things they didn''t account for or forgot to update. For example, you didn''t update the team directory and as result had incorrect phone numbers or didn''t realize that one of your critical employees had resigned and wasn''t replaced.
Another resource is the Association of Contingency Planners. There is a BCP intro and industry resources.
Once you create a basic BCP plan, then you can continually enhance it. So, when the next disaster occurs, your organization is better prepared and effective. Employees will benefit from all of that planning and know what to do.
For more information on having a comprehensive business continuity planning (BCP) plan, follow me on LinkedIn!