Threats to your organisation’s ability to function in a profitable way can appear almost overnight. And we are not just talking about once-in-a-century global pandemics. Anything that affects your ability to operate normally could be considered a business continuity issue.
The list would include fire, theft and vandalism. It would certainly include the kind of extreme weather events (like flooding and extreme heat) that climate change is making more likely. But even a harsh, snowy winter that stops your team getting into the office could be considered a business continuity challenge.
Then there are cyberattacks of course, which are a real and growing danger for businesses large and small. This does not have to involve organised criminals or shady foreign governments. An ex-employee with a grudge and access to your IT infrastructure could do a significant amount of damage.
We could go on, but suffice to say that business threats are not rare, one-off occurrences. Taken together, they are common and growing risks, which is why every business needs a business continuity plan.
What is a business continuity plan?
A business continuity plan is simply the process of putting contingencies in place to avoid damage from these kinds of incidents in the first place, or to recover quickly from them if that is impossible. You do not have complete control over the former, but you do over the latter.
Your plan is an essential part of your risk management strategy, and defines what your threats might be and what you can do to avoid or mitigate them. It starts with a simple risk assessment, and then goes into detail about what to do if the worst happens.
Disaster recovery is a large part of business continuity planning. But while disaster recovery deals predominantly with protecting data and IT infrastructure, a business continuity plan is a more holistic document, encompassing resilience and recovery strategies for all core operations.
Your business continuity plan checklist
The exact contents of your business continuity plan depends to some extent on your size, sector and vulnerability to common threats.
But all plans share many of the same general elements. With that in mind, here is what you need to do to put a basic business continuity plan in place, and what it should include.
Assemble your team
First off, you need to assemble the team that will put the plan together. In a small business, that might just include the owner or CEO and a couple of senior team members. In larger businesses, it might include senior managers plus heads of the most relevant departments, like IT, estates and operations. Each individual will be responsible for drawing up different parts of the plan.
Identify your risks
But before that, you have to work out what risks you face, and how serious the threat from each really is. This list should be exhaustive, and will be different for different businesses, depending on location, sector, size and other factors.
For example, is your business in or near a flood plain? Do you handle sensitive customer data? How reliant are you on connectivity for everyday operations? For that matter, where are your data and applications stored?
Do not just think about your own business but also the businesses you depend on. For example, are you dependent on an international supply chain that might itself be affected by extreme weather or political tensions (especially if they lead to trade wars)?
Brainstorm your team for this information to make sure you cover every potential threat, and then prepare a business impact analysis.
This might not be an exact science, especially for a small business team, but you need to make at least rough calculations of business impact.
What does that mean? Quite simply, it means that after you’ve identified a threat, you should analyse its potential for business disruption.
For example, if the ground floor of your office was flooded, what would that mean for your people, documents, data, IT and so on. If a container ship is stuck in port by a hurricane a thousand miles away, what would it mean for your ability to make what you make?
Do not forget more humdrum threats. If the power went out for a day, what effect would it have on your productivity and profits?
This analysis should seek to identify weak points in your organisation, and create priorities for protection and mitigation.
Draw up your plan
After identifying and analysing threats, you can take a stab at drawing up the first draft of your plan.
Again, the exact details will depend on your company, but the important thing is to map out a clear strategy, set recovery goals and allocate resources.
For each threat, state what it is, the effect it might have, and what the business will do in the event of the threat occurring.
A flood, for example, is a catastrophic event that would keep people away from your premises, cause power outages and take down IT. A mitigation plan might include:
- Contacting a commercial property partner to arrange temporary premises
- Contacting staff and customers to make them aware
- Transitioning to home working and, if necessary, letting colleagues work on personal devices
- Spinning up back-up IT systems and applications stored in the cloud
That is obviously simplistic, and there is much more detail to add, but by building out each threat in a similar way a fully formed business development plan will gradually emerge.
Do not forget to allocate roles. Who will declare a disaster? Who will replace hardware (furniture, computers, phones) if required? Who will lease emergency office space? Who will be responsible for assessing the damage?
Create a chain of command so that everyone involved knows what they have to do and when they have to do it.
What you need to do now
And what will also emerge is gaps in your defences that need to be filled straight away.
For example, it might become clear that your cybersecurity measures do not meet the magnitude of the threat from cyber-attack. In which case, closing that gap becomes a priority.
And in the flooding example given above, the contingency plan only works if employees have the means to work from home, and you back up data and applications to the cloud. As the pandemic has shown, these are key elements of any disaster recovery strategy.
Similarly, make contact now with commercial property partners, outsourced IT support or third party back office support businesses (or anyone else who could help you recover quickly from a disaster), and start nurturing those relationships.
Educate your employees
Once you’ve created a plan, you need to make it available to everyone, and especially to those who’ve been allocated duties in the event of an incident.
Then you need to educate employees in areas that might affect them, because everyone will have a part to play.
How do you connect securely to the corporate network if you have to work from home? How do you identify a potentially dangerous email attachment? What do you do for your own safety during extreme heat? How do you communicate with customers if an incident means goods or services might be delayed?
More specific roles will need more specialist training. Your plan should identify where this might be necessary.
Test and revise
Have you covered everything? You will not know unless you test your plan.
This might simply take the form of a desktop walkthrough, with relevant team members talking through each step together and making suggestions for improvement. For larger businesses, it might involve modelling a common disaster scenario and mapping the outcome.
The main thing is that your plan should not be static. If there are gaps in your plan, fill them. And remember, if in future you update hardware or software, open new locations, hire more staff or move offices, your business continuity plan should be updated accordingly.
Ultimately, the takeaway here is that if you do not have a business continuity plan you cannot be confident of surviving the next local, national or international crisis.
Businesses face threats, and many of them are increasing. But even mundane events like a transport strike or a power outage can cause damage to your organisation if you do not have a plan in place to deal with them.
There is no doubt that disaster recovery, and the implementation of resilient IT and cybersecurity measures, are a fundamental part of any business continuity strategy. As a vastly experienced outsourced IT provider, Cloud & More can help in those areas.
Get in touch and we will gladly audit your IT estate with business continuity in mind. We can then suggest ways to make your digital systems and tools more robust.
But whatever you choose to do first, the main thing is to do something. Assemble your team and start identifying your risks, and then take it from there. As you start down the path to resilience, you will begin to realise just how important business continuity planning really is.
At Cloud and More, our service is always bespoke. Whatever your requirement for outsourced support, we are here to provide it. For more information on Cloud and More’s IT services, please click here.