Crisis Management Plan

Did you know that 25% of businesses never recover after a major crisis? This startling statistic underscores the importance of having a well-prepared crisis management plan in place.

In this article, we’ll explore what a crisis management plan is, the benefits of implementing one, and the steps to create an effective plan. We’ll also introduce the role of Erwood Group in helping businesses develop and execute their crisis management strategies.

Definition of a Crisis Management Plan (CMP)

A crisis management plan, or CMP, is a well-thought-out plan that a business puts together to deal with any critical situation that may arise. But, you might ask yourself, “what is a crisis management plan?” In simple terms, it is a guide that helps businesses prepare, respond, manage and recover from unexpected events that could hurt the business.

Overview of a CMP

A crisis can come in many forms, such as natural disasters, cyber-attacks, loss of a key employee, or public relations issues. A CMP is designed to help businesses manage these challenges effectively.

It lays out the steps to take, the people to involve, and the actions required to handle a crisis. A good plan is like a safety net, ensuring that a company can bounce back from a tough situation.

Objectives of a CMP

A CMP has three main goals. The first is to protect people, such as employees, customers, and the general public, from harm. This can mean providing guidance on how to stay safe during a crisis or offering support to those affected.

The second goal is to keep the business running as smoothly as possible during a crisis, disaster or disruptive situation. A CMP can help reduce the impact of a crisis on daily operations and ensure that critical core services are still available.

Lastly, a CMP aims to protect the company’s reputation. In today’s world, news spreads fast, and a poorly handled crisis can quickly damage a business’s image. A well-prepared response can show that a company is responsible and cares about the well-being of its customers, employees, and other stakeholders.

Key Components of a CMP

Every business is different, but there are a few key elements that every crisis management plan should include. First, it should identify the possible crises that could affect the company. This can help businesses prepare for the most likely events.

Next, a CMP should outline the roles and responsibilities of the crisis management team. This team is made up of people from different parts of the company who will work together to manage the crisis.

A good Crisis Management Plan will also have clear instructions on how to communicate with employees, customers, and the media during a crisis. This helps to ensure that everyone gets accurate information, knows what to do, and that messaging is consistent.

Finally, a CMP should include a plan for how the business will recover from the crisis. This can involve:

  • Recognizing the Crisis Event
  • Assessing the Crisis and damage
  • Mitigating the disruptive event and/or preventing further damage
  • Managing and initiating the implementation of Contingencies
  • Rebuilding damaged infrastructure
  • Addressing any long-term consequences of the event
  • Getting back to normal operations
  • Closing of the Crisis Response

Benefits of Implementing a CMP

A crisis management plan (CMP) is more than just a smart idea. It’s an essential part of a company’s business strategy. By developing and implementing a CMP, businesses can enjoy several important benefits that help them navigate difficult times and come out stronger.

Improved Decision-Making During Crises

Crises often require quick thinking and fast action. A CMP provides a clear plan for how to handle a disaster, emergency or disruptive situation. Which allows businesses to make better and more efficient decisions under pressure. With a CMP in place, leaders can focus on the most important tasks and implement strategies to continue key core business processes while avoiding wasting time trying to come up with strategies after an event.

This allows a business to quickly pivot or transition into pre-planned strategies allowing the business to continue operations and making them more resilient. Better still, with the right strategies in place businesses will be able to absorb and endure the crisis while still maintaining full operations. We at the Erwood Group call this Operational Endurance™.

Protection of Company Reputation

In a crisis, a company’s reputation is often at stake. A well-designed CMP ensures that businesses respond to crises in a responsible and transparent manner, which can help maintain or even enhance their public image. This can be especially important in a world where news travels fast, and a company’s reputation can be damaged in an instant.

Enhanced Business Continuity

One of the main goals of a CMP is to keep the business running during a crisis. By planning for potential challenges, companies can minimize disruptions to their operations and maintain essential services for their customers.

This not only helps to reduce financial losses but also shows customers that the business is reliable and committed to meeting their needs. Even in difficult times.

Increased Employee and Stakeholder Confidence

A well-prepared business is a confident business. When employees and stakeholders know that a company has a solid plan in place for handling crises, they are more likely to feel secure and trust in the company’s ability to weather any storm.

This can lead to increased loyalty and commitment from employees. As well as increased confidence from investors, partners and customers.

Reduced Legal Liability

Implementing a CMP demonstrates that a company is proactive in addressing potential crises. This can help reduce legal liability in case of an incident.

By having a plan in place and taking appropriate actions, businesses can show they have done their due diligence. This can potentially lower the risk of lawsuits or regulatory fines resulting from negligence or lack of preparedness.

Competitive Advantage

Companies that effectively manage crises can maintain or even improve their market position. This is because they are perceived as more resilient and reliable.

By handling problems well, these businesses can stand out from competitors who have a hard time recovering from similar situations. This attracts customers, investors, and partners who appreciate a stable and trustworthy company.

Better Resource Allocation

A CMP enables companies to identify the resources required for crisis response, such as:

  • People (employees, contractors, customers, vendors etc.)
  • Property (assets, buildings, equipment, IP)
  • Processes
  • Data & Information
  • Finances
  • Security

By allocating these resources efficiently, businesses can ensure they are prepared to respond effectively, minimizing the impact of the crisis on operations.

This proactive approach to resource management also helps avoid scrambling for resources during a crisis. This can lead to costly mistakes and delays.

Steps to Create an Effective Crisis Management Plan

Creating a crisis management plan might seem overwhelming. By breaking it down into simple steps, businesses can develop a plan that will help them navigate any challenge. Here are the key steps to create an effective CMP:

Identifying Potential Crises

The first step is to think about the kinds of crisesthat could affect your business. This might include natural disasters, cyber-attacks, or public relations problems. By knowing what might go wrong, you can create a plan that addresses these specific challenges.

If you need a starting point you can obtain our Risk Reference Card which outlines the common crisis events that impact businesses.

Establishing a Crisis Management Team

Next, it’s important to put together a group of people who will be responsible for managing the crisis. This team should include members from different parts of the company, such as:

  • Communications
  • Facilities
  • Finance
  • Human Resources
  • Information Technology
  • Operations

Each person on the team should have a clear role and know what they are responsible for during a crisis.

Developing Response Strategies

Now that you know the potential crises and have a team in place, it’s time to develop strategies for how to respond to each crisis. This might involve:

  • Creating evacuation plans
  • Creating Shelter in Place plans
  • Outlining steps for dealing with a cyberattacks
  • Developing guidelines for communicating with the media
  • Developing templates to communicate with employees, customers, vendors
  • How to operate with a reduction in personnel or supplies
  • How to operate if your facility is impacted
  • And more

These strategies should be flexible, as every crisis is different and may require unique solutions. We here at the Erwood Group recommend thinking of your plans as the toolbox and the strategies themselves as the tools to implement in certain situations. The more strategies you have ahead of time, the more tools you have at your disposal in the event of a crisis.

Allocating Resources for Crisis Management

Handling a crisis often requires resources, such as money, equipment, and personnel. Be sure to allocate the necessary resources for crisis management, so your team has what it needs to respond effectively.

For instance, you may want to allocate a conference room or even have a dedicated area to utilize as an Emergency Operations Center (EOC) where your Crisis Management Team can meet. Alternatively, you can set up a dedicated virtual EOC (vEOC) if you’re not in a physical office or if the office itself is impacted.

Within the EOC you will also want to have some blank checks, credit or pre-paid debit cards, copies of contingency plans, strategies, and communication templates.

Creating Communication and Action Plans

Clear communications are extremely important during a crisis. Develop a plan for how you will share and communicate information with your employees, customers, and the media. This might include:

  • Setting up a dedicated phone line
  • Creating templates for press releases
  • Establishing a social media strategy
  • Selecting a Public Information Officer or key person to speak to the media

In addition, create an action plan that outlines the specific steps your team will take during a crisis. This can help ensure that everyone knows what to do and can act quickly when needed.

Training and Testing the CMP

Once you have developed a plan, it’s essential to train your crisis management team and employees on their roles and responsibilities. This can help ensure that everyone is prepared to act when a crisis occurs.

It’s also a good idea to test your CMP by running simulations or drills. This can help you identify any weaknesses in your plan and make improvements before a real crisis happens.

The Role of Erwood Group in Crisis Management

In today’s unpredictable world, businesses need to be prepared for any crisis that might come their way. At Erwood Group, we understand the importance of having a solid crisis management plan in place.

Our team of experienced consultants is dedicated to helping businesses like yours stay strong in the face of adversity. In this section, we’ll discuss the various services we offer and how we can help your company become crisis ready.

Be Ready for Any Crisis That Might Hit Your Company

No business is immune to crises, and the impact of a crisis on your company can be significant, from damaging your reputation to disrupting operations. That’s why it’s essential to be aware of potential risks and have a response plan in place. Our team at Erwood Group is committed to protecting your business and helping you navigate any challenges that come your way.

Crisis Management Team Creation

One of the key elements of a successful crisis management plan is having a dedicated crisis management team. Our consultants will work with you to create a team that is well-equipped to handle any issues that might arise. We’ll help you identify the right people for the job and provide the necessary training and guidance to ensure that your team is ready to respond effectively in a crisis.

Active Response to Ongoing Crises

If your company is already in the midst of a crisis, our active response team can help you manage the situation and minimize the damage. We’ll work quickly to address the problem, with the goals of sustaining credibility and trust, mitigating risk, protecting relationships and reputations, and keeping your business viable and running.

Our Five-Step Process for Crisis Management

At Erwood Group, we use a simple, four-step system to take your company from unprepared to crisis-ready. Here’s how it works:

1) Reach out to us by calling our office at 877-565-8324 or filling out our online contact form.

2) Our consultants will evaluate your organization and identify any areas of concern.

3) We use our Learn, Practice, Implement, Challenge™ (LPIC™) methodology to provide ongoing training and improvement for your crisis management team.

4) Once you’ve worked with our crisis management consultants, you’ll feel prepared for any scenario your business might encounter.

5) Impacted by a crisis? We’ll stand with you and assist you through the crisis by providing guidance to get you through the crisis. Unlike most of our competitors that will tell you to “Just Follow the Plan” we are true partners to our clients and are here to assist you in your time of need.

Why Work with Our Crisis Management Consultants

There are several reasons to choose Erwood Group for your crisis management needs:

  • Our team has firsthand experience dealing with multiple crises, giving us the knowledge and skills to help other businesses prepare for and respond to challenging situations
  • We understand that every business is unique, and we tailor our consulting services to fit your specific needs and concerns
  • From building a crisis management team from scratch to training your existing team and providing assistance and guidance during a crisis, we’re here for you every step of the way
  • Our consultants can help you recognize the events leading up to a crisis, enabling you to respond faster and more effectively

By working with Erwood Group, you’ll gain access to a team of crisis management experts who are dedicated to protecting your business and helping you navigate any challenges that come your way. With our support, you can be confident that your company is ready to face any crisis, ensuring the safety of your employees, the continuity of your operations, and the preservation of your reputation.

Be Prepared for Any Crisis with Erwood Group

In a world filled with uncertainties, having a solid crisis management plan is crucial for the survival and success of any business. By following the guidelines discussed in this article and partnering with the expert consultants at Erwood Group, your business can be better prepared to face any crisis that comes your way.

Don’t wait for a crisis to hit. Contact us today to schedule a crisis management consultation and safeguard your company’s future.

The Multiple Factors Leading to the Collapse of Silicon Valley Bank

While the Bank itself bears the bulk of the responsibility for its own demise, in this article we are going to look at the multiple factors leading to the collapse of Silicon Valley Bank.

Formed in 1983, Silicon Valley Bank (SVB) was founded to provide financial services to startups, venture capitalists, and technology companies. At the time, the banking industry was not friendly to the needs of startups as many lacked revenues and the banking industry viewed startups as too risky.

Silicon Valley Bank understood these risks and managed them effectively early on through several methods. The first thing they did was include a well-connected Venture Capitalist (VC) on its board early on. This opened a close working relationship within the VC world. They would then collect deposits from businesses that were financed through these VCs. Some additional key risk reduction steps SVB took early on were:

  • They required a pledge of half of a startup’s shares as collateral (Reduced later to seven percent).
  • The startups tended to pay off the loans to retain control of the business which reduced losses.
  • SVB further reduced losses by selling these shares to investors.
  • They introduced startups to their own extensive network of VCs, lawyers, and accountants.
  • They also prioritized lending to clients of top-tier VC firms.

Why is this important? It shows that the bank did understand certain key risks and managed them effectively early on. But positions, markets, economies, and risks change. Here are the multiple factors that led to the collapse of Silicon Valley Bank.

Internal Mismanagement

The first, and most significant impact was from internal mismanagement at SVB. The bank’s leadership failed to implement effective risk management policies, which led to poor lending decisions. SVB relied heavily on the technology industry, which made it vulnerable to market fluctuations. Additionally, the bank’s executives were accused of fostering a toxic work culture that led to high employee turnover.

There was a failure of good succession planning. The Chief Risk Officer Laura Izurieta exited the company in April of 2022. Though she stayed on as a consultant, the CRO position was left unfilled for eight months. During her tenure, she oversaw the purchase of the bond-buying spree that led to the collapse. After the exit the risk committee doubled its meetings to 18, suggesting concern and knowledge of the bank’s position.

Additionally, the head of financial risk management for the UK branch of SVB, Jay Eraspah focused on multiple “woke” LGBTQ+ agendas even as the bank faced collapse.

Furthermore, the internal audit department was understaffed and unable to identify potential risks. The bank’s IT infrastructure was outdated, and the management failed to invest in upgrading it. This lack of investment made it easier for cybercriminals to penetrate the bank’s systems and steal sensitive information. SVB customers were deluged with scams during the collapse.

Finally, SVB’s leadership ignored warning signs about the bank’s financial health, such as a decline in profits and an increase in loan defaults.

Lack of Customer Service

The bank’s lack of customer service was a significant factor in its collapse. The bank was known for its focus on startups and venture capital, which led to a lack of attention to other types of customers.

Many customers felt that the bank was not providing enough support and services, leading to a decline in customer satisfaction and loyalty.

The bank’s lack of customer service was seen as a reflection of its culture and values, leading to a loss of customer confidence and further increased scrutiny from regulators.

Economic Factors

Silicon Valley Bank faced several economic challenges including the rapid rising of interest rates. The economic environment over the last couple of years played a significant role in SVB’s collapse. The bank’s heavy reliance on the tech industry made it vulnerable to market fluctuations. When the COVID-19 pandemic hit, the tech industry was not immune to the economic fallout. Many startups and tech companies struggled to survive, leading to a sharp decline in SVB’s loan portfolio.

Additionally, the low-interest-rate environment made it challenging for the bank to generate income. SVB relied heavily on interest income from loans, and the low rates made it difficult to achieve profitability.

SVB heavily invested in bonds to take advantage of the higher interest rates as income fell from loans. Their intention was to hold the bonds until maturity. As the fed increased interest rates, the bonds decreased in value. SVB had to sell bonds at a significant loss.

Finally, the bank’s exposure to the cryptocurrency industry proved to be a significant risk. The highly volatile nature of the crypto market led to significant losses for SVB.

Loan Losses and Declining Profits

Since SVB had a heavy focus on risk investments particularly startups and venture capital projects, many of SVB’s loans went to companies that were not credit-worthy. These startups were largely vulnerable to market downturns and volatility.

The bank was heavily impacted by the 2008 financial crisis, which led to a decrease in lending opportunities and an increase in non-performing loans.

Additionally, the bank was impacted by global economic factors, such as Brexit and the US-China trade war. These factors contributed to the bank’s decline and ultimate collapse.

Business executives can learn from Silicon Valley Bank’s experience by ensuring their company is prepared for economic downturns and global economic factors.

Again, with a heavy reliance on customers in the tech industry in 2020 SVB had trouble again when the tech industry experienced a downturn. The bank’s profits declined even further, leading to a loss of investor confidence and increased scrutiny from regulators.

In addition, the bank’s profits were impacted by increased regulatory costs and fines. The bank had to spend significant amounts of money on compliance and legal fees, which impacted its profitability.

Furthermore, the bank’s profits were impacted by the departure of key executives and the loss of customer confidence, leading to a decline in business and revenue.

Regulatory Issues

Less known and talked about Silicon Valley Bank faced several regulatory issues that contributed to its collapse. The bank was under investigation by the Securities and Exchange Commission (SEC) for its handling of a failed Initial Public Offering (IPO). Additionally, the bank was accused of violating anti-money laundering laws.

Furthermore, the bank’s compliance department was understaffed and struggled to keep up with regulatory changes. SVB’s leadership failed to invest in compliance and risk management, which led to significant fines and legal expenses.

Competition

Silicon Valley Bank faced intense competition from other banks and financial institutions. The emergence of fintech startups and online lenders disrupted the traditional banking industry, making it more challenging for SVB to compete. Additionally, established banks such as JPMorgan Chase and Wells Fargo began to focus on the technology industry, encroaching on SVB’s territory.

Furthermore, SVB’s lack of diversification made it vulnerable to competition. The bank relied heavily on the technology industry and had limited exposure to other sectors, such as healthcare and energy.

Customer Losses

The collapse of several high-profile startups and tech companies led to significant losses for SVB. The bank had a large portfolio of loans to startups and tech companies, and the failure of these firms led to a decline in the bank’s loan portfolio.

Additionally, the bank’s reputation was damaged by the failure of these startups. SVB was seen as a bank that specialized in financing startups and tech companies, and the failure of these firms eroded the bank’s credibility.

Poor Capitalization

SVB’s capitalization was a significant issue that contributed to its downfall. The bank’s leadership failed to raise enough capital to support its lending activities, leading to a decline in the bank’s financial health.

Additionally, the bank’s investment in risky assets such as cryptocurrencies led to significant losses, further eroding the bank’s capitalization.

Lack of Innovation

In the early years, Silicon Valley Bank led innovative and creative financing methods to reduce their risk while making loans to a risky and underserved market in startups.

SVB itself failed to innovate and keep up with emerging trends in the financial industry. The bank’s IT infrastructure was outdated, and the management failed to invest in upgrading it. Additionally, SVB failed to embrace emerging technologies such as blockchain, which could have improved its operations and reduced costs.

Furthermore, the bank’s lending practices were outdated, and it failed to adapt to changing customer needs. The emergence of fintech startups and online lenders disrupted the traditional banking industry, and SVB failed to keep up.

Lack of Transparency

SVB’s lack of transparency was a significant issue that contributed to its downfall. The bank’s leadership failed to provide clear and concise information about its financial health, leading to uncertainty among investors and customers.

In fact, the bank messaging to customers did little to stem the run on the bank and perhaps even contributed to the run on SVB.

Additionally, the bank’s compliance department was understaffed and struggled to keep up with regulatory changes. This lack of transparency led to significant fines and legal expenses.

Employee Turnover

Silicon Valley Bank’s toxic work culture led to high employee turnover, which contributed to the bank’s downfall. The bank’s leadership failed to address issues such as discrimination and harassment, leading to low morale among employees.

Furthermore, the bank’s compensation structure was not competitive, leading to difficulty in attracting and retaining top talent. The high employee turnover led to a decline in the bank’s productivity and profitability.

The Bank Run

silicon-valley-bank-collapse
Source: Visualcapitalist.com

The Bank Run begins on SVB after the bank took a loss of $1.8 billion when they sold off US Treasuries and mortgage-backed securities. It was initiated after the CEO Greg Becker sent a letter to shareholders detailing the loss and the plan to raise $2.25 billion in capital. For a great timeline and more financial details on the SVB collapse, Visual Capitalist does a great job. 

According to regulators customers immediately started pulling their money out of the bank. These customers included many of the venture capital firms and their clients.

Problems With Money Transfers

One of the key events leading to the Run on SVB was connected to Peter Thiel’s Founders Fund. During a “Capital Call” where it had asked investment partners to send funds to invest in a company by transferring funds to their own Silicon Valley Bank account. The funds failed to immediately go through as normally expected. Thiel took action withdrawing all its funds from SVB and by Thursday morning the fund no longer had cash in SVB.

Calls to Get Cash Out

Numerous other VC funds including Founders Fund, Union Square Venters, and Coatue Management advised companies in their portfolios to pull money out of SVB. See the Video from CNBC – VCs Call for Run on SVB.

There were calls for not pulling cash out, but by Thursday the damage was done. In a single day, SVB customers pulled $42 billion from the bank cementing the collapse and demise of SVB.

The Role of Technology in the Collapse

The irony of our advanced technological era is its exacerbation of the speed and efficiency of spreading the word of the potential failure and ability to withdraw or transfer funds quickly.

As VCs and their clients shared news of the collapse and call for pulling money out of SVB through Twitter and Slack channels word spread fast. Dubbed the “first Twitter bank run” word spread as did the rumors that created bank runs in the past, only much faster thanks to technology.

As with bank runs of the past, it became a self-fulfilling prophecy.

What Can You Do?

To prevent the loss of capital it is important to diversify. First, diversify in a way that you can utilize multiple accounts within the same financial institution or bank trying to keep accounts to the FDIC Coverage.

Next, diversify across multiple banks and financial institutions to lessen the impact. There are some little-known ways to increase your FDIC coverage by utilizing special methods and accounts while remaining liquid.

If you’re concerned about the impact and fallout of the collapse of Silicon Valley Bank and how that could impact your business schedule a call with us to complete a Financial Impact Analysis.

Consultation

 

Conclusion

The collapse of Silicon Valley Bank was the result of multiple factors, including internal mismanagement, economic factors, regulatory issues, competition, customer losses, poor capitalization, lack of innovation, lack of transparency, and employee turnover. The bank’s leadership failed to address these issues, leading to a decline in the bank’s financial health.

SVB’s collapse serves as a cautionary tale for other banks and financial institutions. It highlights the importance of effective risk management, diversification, innovation, transparency, and positive work culture. Banks must continuously adapt to changing market conditions and customer needs to remain competitive and profitable.

Did you know that 60% of small businesses that suffer a cyberattack will shut down within six months? That’s a sobering statistic that underscores the importance of having a solid disaster recovery plan in place.

However, even with the best intentions, many organizations make common mistakes that can leave them vulnerable to downtime, data loss, and costly recovery efforts. Learn about the 10 Disaster Recovery Plan Mistakes to Avoid for Your Business.

In this article, we’ll explore some of the most common disaster recovery plan mistakes and provide tips to help you avoid them. Read on to learn how to keep your business safe from disaster! 

1) Not Having a Disaster Recovery Plan in Place

One of the biggest mistakes a business can make is not having a disaster recovery plan in place. A disaster recovery plan is a set of procedures and protocols put in place to help a business recover from a disaster.

A disaster can take many forms, such as:

  • A cyber attack
  • A natural disaster like a flood or earthquake
  • A power outage

A disaster recovery plan is a critical component of a business continuity plan or BCP meaning it’s essential for ensuring the survival of a business in the event of a crisis.

Without a disaster recovery plan, a business can suffer significant financial losses and may even go out of business. A disaster recovery plan can help a business recover from a disaster quicker, with less damage to the business. It can also help ensure that critical business functions are restored as quickly as possible.

Creating a disaster recovery plan doesn’t have to be complicated. You can find a disaster recovery plan template available online. This can be customized to fit the specific needs of your business.

2) Not Testing The Disaster Recovery Plan

Having a disaster recovery plan in place is a great start, but it’s not enough. One of the biggest mistakes businesses make is not testing their disaster recovery plan.

Testing is a critical component of any crisis management plan. It helps identify weaknesses in the plan and ensures that it will work when it’s needed most.

Testing a disaster recovery plan can help a business in several ways, including:

  • Identifying gaps or weaknesses in the plan
  • Ensuring that the plan works
  • Providing an opportunity for improvement

Testing a disaster recovery plan doesn’t have to be complicated or expensive. There are many different ways to test a plan, ranging from tabletop exercises to full-scale simulations. The key is to ensure that testing is done regularly and that the plan is updated based on the results of the testing.

By not testing the disaster recovery plan, a business is essentially taking a gamble that the plan will work when it’s needed most. This is a risk that no business should be willing to take. Especially, when the consequences of a failed recovery can be catastrophic.

3) Not Backing Up Data Regularly

Data is the lifeblood of any business, and losing it can be devastating. That’s why it’s essential to have a backup disaster recovery plan in place to ensure that data can be recovered in the event of a disaster. One of the most significant mistakes a business can make is not backing up its data regularly.

Here are some reasons why it’s crucial to back up data regularly:

  • Regular backups protect against data loss due to disasters
  • Many businesses must maintain backup copies of their data for regulatory compliance purposes
  • Having a plan in place can help a business maintain business continuity during a disaster and reduce the impact of downtime

There are several ways to back up data. These include cloud disaster recovery solutions and on-premise backup solutions. It’s essential to choose a backup method that’s appropriate for your business’s needs, taking into account factors such as:

  • Data volume
  • Recovery time objectives
  • Budget

Backing up data regularly is a critical component of any disaster recovery plan. Without regular backups, a business is at risk of losing data. This can have severe consequences.

4) Not Having A Clear Communication Plan

In times of crisis, clear communication is key to minimizing the impact on your business. Without a well-defined communication plan, employees, customers, and stakeholders may become confused. This can lead to delays in recovery efforts.

Here are some common mistakes to avoid when creating a communication plan for your disaster recovery IT plan:

Lack of Clarity on Roles and Responsibilities

Ensure that everyone involved in the recovery effort understands their role and responsibilities. This includes identifying who will be responsible for communicating with:

  • Employees
  • Customers
  • Vendors
  • Any other stakeholders

Not Having a Designated Spokesperson

Designate a single person or team to serve as the spokesperson for the company during a crisis. This person should have the authority to make decisions and communicate with all parties involved.

Failing to Establish Clear Communication Channels

Define the methods of communication that will be used during a crisis. This could include email, text messages, phone calls, or other methods. Make sure that all employees are aware of the communication channels and know how to access them.

Neglecting to Test the Communication Plan

Test the communication plan to identify any potential issues or gaps. This will help ensure that everyone knows what to do in the event of a crisis.

5) Not Training Employees on the Disaster Recovery Plan

A disaster recovery plan is only as good as the people who implement it. Your employees are essential to your business’s continuity. It’s crucial that they are well-prepared to handle any disaster that might strike.

Failure to train your employees on the disaster recovery plan can lead to:

  • Confusion
  • Miscommunication
  • Business disruption

Here are some common mistakes to avoid when training employees on the disaster recovery plan:

Assuming That Everyone Knows Their Role

Even if your employees are familiar with the business continuity vs. disaster recovery concepts, they may not know exactly what they need to do during a crisis. It’s essential they have clear guidelines and know their role in executing the disaster recovery plan.

Not Providing Enough Training

Don’t assume that one training session is enough to cover everything. Consider offering ongoing training and refresher courses. This will ensure that employees are always up-to-date and informed.

Neglecting to Test Employee Readiness

Testing the disaster recovery plan is not just about testing the technical systems. It’s also about testing employee readiness. Conduct regular drills and simulations to ensure that your employees can execute the plan effectively.

6) Not Using an All-Hazard Approach to Planning

One common misconception about disaster recovery planning is that it’s only necessary to plan for specific types of disasters, such as cyberattacks or natural disasters. However, a more effective approach is to use an all-hazard style of planning.

This approach to disaster planning focuses on preparing for all types of disasters, regardless of their cause, rather than just specific ones. An all-hazard plan takes into consideration all potential hazards that could impact your business, including:

  • Loss or reduction of people (e.g. employees, consultants)
  • Loss of property (e.g. facilities, assets, key equipment)
  • Loss of processes
  • Loss of technology (e.g. applications, data, networks)
  • Loss of vendor/supplier

An All-Hazard style plan recognizes that disasters can take many forms and can happen at any time. It provides a comprehensive framework for responding to any crisis and ensures that your business is prepared for a wide range of scenarios.

7) Relying Solely on Technology

Technology is an essential aspect of disaster recovery and business continuity planning. Relying solely on it, however, is a common mistake.

While technology can help you recover quickly, it is not always a failsafe solution. Here are some reasons why:

Technology Can Fail

Systems can malfunction, software can become outdated, and networks can go down. If you rely solely on technology, you could find yourself without a plan if your systems fail.

Technology Cannot Replace Human Decision-Making

In the event of a disaster, it is essential to have a plan in place that outlines how decisions will be made. Relying solely on technology can leave you without the human input necessary to make the right decisions in a crisis.

Technology Cannot Provide Context

When a disaster occurs, it is important to have a clear understanding of the situation. Technology alone cannot provide the context necessary to make informed decisions about how to respond.

What Businesses Can Do Instead

So, what can you do to avoid relying solely on technology for disaster recovery and business continuity planning?

Your disaster recovery and business continuity plan should involve more than just technology. It should also include procedures, policies, and guidelines that outline how you will respond in the event of a disaster.

Your plan should also involve people from across your organization, including:

  • Management
  • Employees
  • Stakeholders

By involving people in the planning process, you can ensure that your plan takes into account the needs of everyone involved.

8) Not Updating the Disaster Recovery Plan Regularly

Simply creating a plan is not enough. It’s essential to regularly update the plan to ensure that it remains relevant and effective.

Here are some reasons why not updating the disaster recovery plan regularly can be a costly mistake:

Changes in Technology

As technology continues to evolve, it’s essential to update your plan to keep up with changes. For instance, if a business migrates to a new software or cloud-based solution, the disaster recovery plan needs to be updated to reflect this change.

Changes in Business Processes

Business processes are continually changing. Your business should be updating your disaster recovery plan accordingly. If your business introduces new products or services or changes its operations, the disaster recovery plan needs to be updated to reflect these changes.

Changes in Personnel

If key personnel responsible for implementing the disaster recovery plan leave the company, the plan may become outdated. It’s essential to review and update the plan regularly. This ensures that new personnel get trained and can implement the plan effectively.

Changes in the External Environment

The external environment can be unpredictable. Businesses must consider external factors that may affect their operations. This can include natural disasters, cyber threats, or supplier issues.

Updating the disaster recovery plan regularly can help businesses prepare for these events and mitigate their impact.

9) Not Involving All Stakeholders in the Planning Process

Disaster recovery planning for IT is not just the responsibility of the IT department. The plan should involve all stakeholders in the organization. This ensures that all potential risks and impacts are taken into account.

Failure to involve all stakeholders can lead to inadequate planning and preparation. This could result in further complications in the event of a disaster.

IT staff members are responsible for managing the plan and implementing necessary procedures. Business owners and managers should be involved in the planning process as well. This ensures that the plan aligns with the overall business objectives and priorities.

You should train all employees on the disaster recovery plan. This can include their respective roles and responsibilities during a disaster.

Vendors and suppliers should be involved in the disaster recovery planning process to ensure that their services and products are available and functioning during a disaster. Depending on the organization, customers and clients may also need to be involved to ensure that their needs are taken into account.

10) Not Having a Cybersecurity Plan in Place

While disaster recovery planning is essential for a business to continue operating during a crisis, having a cybersecurity plan in place is equally important. Cyber attacks can cause significant damage to a business’s reputation, financial health, and operations. Without a cybersecurity plan, a business is vulnerable to data breaches, ransomware attacks, and other cyber threats.

Here are some common mistakes businesses make when it comes to cybersecurity planning:

  • Not understanding their cybersecurity risks
  • Not implementing security controls such as firewalls, antivirus software, and multi-factor authentication
  • Not training employees on cybersecurity best practices
  • Not having an incident response plan
  • Not regularly testing and updating their cybersecurity plan

Having a robust cybersecurity plan in place, in addition to DR solutions, can help a business better protect itself against cyber threats and minimize the impact of any cybersecurity incidents.

Don’t Make These Costly Disaster Recovery Plan Mistakes

Creating a disaster recovery plan is an essential part of any business’s operations. A well-executed disaster recovery plan can mean the difference between a minor disruption and a full-blown business catastrophe.

Don’t let these disaster recovery plan mistakes leave you unprepared; prioritize business continuity and disaster recovery planning today.

If you want to know more about disaster recovery planning and how to protect your company, contact us at any time!

Ready to get help with your Disaster Recovery needs? 

Consultation

 

It is hard to think of a market that is more poised to explode in popularity than disaster recovery solutions. Around the world, demand for disaster recovery solutions was worth about $8 billion in 2021. However, by 2030, this industry is expected to generate more than $115 billion in revenue every single year!

All signs point to even further continued growth after that. But what is it about this industry that allows it to multiply in size around the world by more than 14 times in only 9 years?

The changing business and technological landscapes are making disaster recovery planning more important than ever before. However, many people are still wondering, “What is DRP?”, and why is it important?

Proper disaster recovery planning provides a long list of benefits that make it a worthwhile investment for almost any company. As the years go by, it may be increasingly necessary for companies to invest in this kind of protection. Read on to learn all about disaster recovery planning and the benefits that it can provide!

What Is DRP?

Disaster Recovery Planning is also known as DRP, DR, and even ITDR. As its name suggests, disaster recovery planning is all about having a plan and the technological resources ready for what to do to recover after a disaster or disruption to your business. This is especially true of a technological-based disruption.

However, in this context, we are not speaking of all types of company disasters. The relevant kinds of disasters are those that involve losing important data and similar technical disasters.

People use disaster recovery planning to prepare for a wide variety of possible causes of disasters. Some people are mostly thinking about the possibility of ransomware and other forms of cybercriminal activity. Other people are concerned about human error and the potential for essential data loss.

As technology advances, more and more of our systems depend on keeping, storing and updating of important data. Most companies are now incapable of functioning at all if they lose the information in their data systems.

Hospitals and other institutions are also being targeted for cybercriminal activity. Regardless of the cause or target, a disaster recovery plan will help protect you. With the right kind of protection, you can keep your company safe regardless of the innovations of bad actors.

Fight Cyber Criminals With a Disaster Recovery Plan

The numbers show that cybercriminal activity is rising fast. From a historical perspective, this seems almost inevitable.

Technology is becoming more and more advanced. More people are learning how to use technology in basic and advanced ways. In some ways, we are entering a new world where no one knows exactly what the rules are.

That means that some bad actors will take advantage of the newness of the space to find ways to exploit people. There are further indicators that cybercrime will be more common in the future.

For example, most cyber criminals had to be technical experts of some kind in the past. However, some of these technically sophisticated criminals are designing systems that allow other people to also distribute malware.

The time may soon come when anyone can engage in cyber criminal activities regardless of their level of technical knowledge. All of this means that there will be more and more people who want to target companies to threaten them with the loss of their essential data.

However, all of this depends on companies being dependent on the data that cybercriminals steal. There are a variety of ways to protect yourself against this kind of eventuality.

Disaster recovery planning is all about making it so that your company is safe and capable of functioning regardless of the actions of bad actors. For example, your disaster recovery plan might include backing up your essential data at secure locations. That way, even if criminals erase your data from your main system, you will be able to recover it whenever you want.

Recover Losses Quickly With Disaster Recovery Planning

When a disaster happens, the question is more about how much a company loses rather than whether or not it will lose something. However, the right disaster recovery plan can help you recover from a problem as fast as possible.

For example, if your whole system shuts down, a quality disaster recovery plan will know which processes should receive attention first. Then, the plan will dictate how the most essential aspects of your business can be managed even while you work out your technical problems.

All of this preparation also means that companies can work through their technical problems with as little delay as possible. That means that you can recover from your little technical disaster and get back to booming business.

Many people underestimate the value of lost time and functionality. It is a lot easier to feel bad about losing a specific number of dollars out of a bank account than to feel bad about something more nebulous like lost productivity.

However, lost productivity can sink a business going through a difficult time. Businesses that want to grow need to maintain access to system data as well as all of the technical tools that we rely on today. With a disaster recovery plan, your company will be ready to snap back whenever anything impedes it.

Avoid Interrupting Crucial Processes With DRP Solutions

Some company processes are more vital than others. For example, a manufacturing plant might lose millions of dollars of products if the manufacturing process loses electricity for a few hours.

Different industries have different sensitive processes. Regardless of what the sensitive processes at your company are, disaster recovery planning can help you protect them.

In the ideal case, you will not lose functionality for your most crucial processes even for a moment.

Your plan may need to account for many different possible disasters. But with care, you can help keep vital company processes functioning. Then, the rest of the company can focus on getting back on track.

All of this means that you will lose as little as possible while waiting for your disaster recovery plan to resolve whatever your problem is.

Signal Responsibility With a Disaster Recovery IT Plan

People use a wide variety of indicators to assess companies. Although this is not an exact science, people use these kinds of indicators to decide what kind of reputation each company in an industry has.

Many new companies fail to take precautions to protect themselves. In contrast, companies that have been around for much longer have a greater tendency to invest in the long term.

As a result, having a disaster recovery plan can be an indicator of company conscientiousness. In fact, putting together a quality disaster recovery plan displays a number of good qualities.

It shows that a company is aware of changing trends in the business and technological landscapes. It also signals that a business is taking care of its assets and those that are entrusted to it. 

Discover Weak Points in Your Systems

As you make a disaster recovery plan, you will have to examine each part of your business. That is because each part of the business is a potential vulnerability for bad actors to target. This means that there is a good chance that you will come across unknown problems as you develop a disaster recovery plan.

Resolving some of these problems will be part of making your disaster recovery plan. In other cases, you will discover unrelated problems that you will solve with other company activities. Either way, this kind of review of company operations and vulnerabilities can help you identify hidden problems.

Be Prepared to Recover All Lost Data

When a company is a target of ransomware, it is told to pay a ransom or else lose its essential data. Having backups of your data can protect you from this threat.

However, there are all kinds of ways that data can be lost. Setting up a disaster recovery plan will protect you from all of these possibilities at the same time.

For example, some companies lose important data because of the mistakes of company employees. This also means that employees need to be extremely careful about taking initiative with systems that they do not understand. After all, if they make a mistake, the results could be dire.

In other cases, companies lose data due to technical problems. An unfortunate power outage or system shortage could cause catastrophic consequences.

However, part of your disaster recovery plan will involve making backups of your data. That means you will always have access to it no matter what mistakes happen or whether you are targeted by bad actors.

Learn About the Latest Data Security Practices

If you work with a professional company to make your disaster recovery plan, you may learn a lot during the process. The details of disaster recovery plans are shaped by technology.

Certain kinds of technology create certain vulnerabilities. Other kinds of technology help address such vulnerabilities. However, the common vulnerabilities in our data systems change from year to year as technology progresses.

Many people have a passing understanding of many of the weak points in past versions of our technological systems. However, as technology changes, the cutting edge of cybercriminal activity also changes.

Professional DRP services learn all about the latest vulnerabilities in our systems. Suppose you work with one to make your disaster recovery plan.

You can also ask such services about what kinds of vulnerabilities are becoming more common. You may even be able to get some sense of some of the incoming future vulnerabilities.

Preserve Your Company’s Reputation

When a company goes through a difficult time due to a technical disaster, it does not reflect well on the company. As a result, there are reputational concerns as well as pragmatic ones when you are dealing with a technical disaster of some kind. 

That also means that a disaster recovery plan can help protect your reputation. How much this matters varies from industry to industry and from company to company. However, if the reputation of your company has a lot to do with its success, then you might want to invest in these kinds of protections.

Intimidate Potential Criminals

The more famous a company is, the more cyber criminals might tend to target them. On the other hand, what if a company has a reputation for taking precautions to take care of company assets? Then criminals may feel that there is little point in targeting a defended target.

An important principle to keep in mind here is that you do not necessarily need to be immune to all possible criminal attacks. The point is not to set up so many defenses that you are invulnerable. Rather, the point is to set up protections such that criminals will feel that their time will be better spent elsewhere.

What would happen if every company invested in disaster recovery plans? Criminals might begin to discover that their activities no longer lead to profit. If companies and individuals learn to protect themselves from cyber crime, then cyber criminals will no longer have any incentive to pursue their criminal activities.

Understand What Is DRP (Disaster Recovery Planning) And Why It’s Important

If you have ever wondered, “What is DRP?”, then we hope that you now have the answer to your question. As we learn more and more about technology, it is becoming more important for companies to protect themselves from the disastrous results of bad actors and buggy systems. Putting together a disaster recovery plan is an essential part of making sure that your company stays safe in the future.

To learn more about disaster recovery planning and how to keep your company safe, reach out and get in touch with us here at any time!

Dark Web Depicts hacker typing on keyboard with computer

With the rise of cybercrime and identity theft, it’s more important than ever to secure your data and protect yourself against the dark web. A Dark Web Scan allows you to monitor how your information is being shared or used, giving you peace of mind that your personal data is secure. Understanding What Dark Web Scans Are & How They Can Protect You & Your Business helps to keep your personal and business information more secure. 

How? First, let’s start by taking a look at exactly what the dark web is. 

 

What is the Dark Web?

 

What is the Dark Web?

The dark web is an unindexed part of the internet. This means it’s not visible to search engines and can’t be found through traditional methods through a search term on a search engine. Though not all sites on the dark web are for criminal activity, It’s a key area of the world wide web for criminals and illegal activity, making it attractive to people who want to keep their identities and data secure from others. By performing regular dark web scans, you can keep an eye on how your personal information is being used or shared without your knowledge. More on that later.

In fact, the dark web, which is a subset of the deep web makes up the larger portion of the overall internet. Estimates place the size of the deep web somewhere between 96% and 99% of the internet, according to CSOonline.com. The deep web is made up of any website that is not indexed by search engines such as DuckDuckgo or Google. This includes websites that require logins or paywalls to access the content. 

The dark web consists of sites that are intentionally hidden and require a specific web browser called Tor (The Onion Router) to access. The dark web is estimated to be about 5% of the internet. Though not all sites on the dark web are used for illegal, illicit, or criminal activity. However, this is where this type of information resides. In 2015 that included 57% of all known dark websites, though a study done in 2019 showed an increase to 60% (which data excludes drug-selling websites). 

These illicit sites are the sites that have for sale things like your credit card numbers, login credentials, banking, and medical information, Netflix logins, and a host of other information, including your business’s intellectual property. They also sell the tools needed to crack passwords, hack your systems, and launch attacks such as malware, ransomware, DDoS, and botnets.

Why are these items for sale in the first place? Because they have value on the black market. While that may be obvious, what may surprise you is how much value some of this information is. Let’s take a look at what some of this information costs on the dark web, which comes from scanning the data on dark web marketplaces, forums, and websites. This data below is from 2022 listed pricing on the dark web*.

  • Credit card details cost between $17 – $120 – On the higher end are accounts with an account balance of up to $5,000. 
  • Online banking login credentials go for $45
  • Hacked Facebook Accounts $45
  • Cloned Visa with PIN $20
  • Complete Details for ID theft $1,115

*Source: helpnetsecurity.com

For additional information on how much of this cybercrime and the illicit trade works, I recommend the book Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity, By Byron Acohido and Jon Swartz.

The link above is NOT an affiliate link. 

How Do Dark Web Scans Work?

How Dark Web Scans Work

Dark web scans use specialized software to scan hidden websites, forums, and encrypted networks to detect any instances of stolen data that may have been leaked online. The scans are typically designed to search for personal information including email addresses, usernames, and passwords. If your stolen data is found, the scan notifies you so that you can take preventative measures like changing passwords or monitoring your accounts for suspicious activity.

 

What Information Does a Dark Web Scan Check for?

Dark web scans check for leaked credentials such as email addresses, passwords, usernames, and other key information that may have been exposed on the dark web. They also check for private information like bank account and credit card numbers, Social Security Numbers, personal identification documents, and more. In addition to checking these individual pieces of data, the scan can also assess whether your information is linked to any malicious activity or breaches.

 

Are There any Tips or Tricks I Should Know Before Beginning a Dark Web Scan?

Before you begin a dark web scan, there are a few important tips to keep in mind. For starters, make sure you’re setting up the scan with a trusted service provider as they have access to detailed information about your data. It’s also important to ensure that you understand the level of detail each service provides and whether they offer additional features like alerts when new breaches occur or additional security measures. Lastly, know that these scans can be expensive; as such, it’s important to determine whether the cost is worth the added security it provides. 

Here at the Erwood Group, we provide an initial free dark web scan to our clients. See the details below for more information on how to obtain a free dark web scan from us. 

Additionally, we would be happy to discuss ongoing dark web monitoring and additional cybersecurity services if warranted based on the findings of the initial dark web scan. 

 

How Can I Make Sure My Data Stays Protected after a Dark Web Scan?

After your dark web scan has been completed, you should take steps to ensure the security of your data. Consider changing all the passwords associated with any accounts or websites that were flagged in the scans. Create unique strings of characters for each password and use a separate password manager if necessary. Additionally, avoid using public Wi-Fi when performing sensitive transactions such as online banking, and ensure that your software (operating system, browser, etc.) is always up to date. Lastly, be mindful of where you store your business and personal information, such as government documents or other forms of identification, both digitally and physically.

HOW CAN I GET A DARK WEB SCAN FOR MY BUSINESS?

The Erwood Group provides a FREE one-time Dark Web Scan for all clients and potential clients. All you have to do is go to our Dark Web Scan page and complete the information to get started. No payment, credit card, or user account is required for the scan or report. Though, we will need some key information in the form to conduct and complete the scan. Go to Erwood Group Dark Web Scan to learn more. 

Basic Risk Assessment Tool

We are Excited to Announce and introduce our new and Free Basic Risk Assessment Tool. The best part is it will be part of our Forever Free Initiative™ to help businesses better prepare for disruptions and disasters.

Risk Assessment Tool Screen Shot
Risk Assessment Tool Screen Shot

We at the Erwood Group believe that the Free Basic Risk Assessment Tool will be a game changer for the small and mid-sized business market for removing the obstacles required to complete a risk assessment quickly and efficiently.

This is important because one of the most basic reasons for business continuity or contingency plans to fail is the lack of a risk assessment or understanding of how those risks will impact the business.

Our proprietary tool is easy to use and will quickly calculate an Overall Threat Rating based on the Probability of Occurrence and the Impact Severity on key core operations of the business.

The Basic Risk Assessment Tool will be a part of our Forever Free Initiative™ to provide all businesses with better preparation for disruptions and disasters.

Now a business can quickly and easily assess how a hazard or scenario will impact their business and determine what risks will have the greatest impact on their business. You can access the Basic Risk Assessment by clicking the link here:

Free Basic Risk Assessment by the Erwood Group.

For complete step-by-step instructions on using the Basic Risk Assessment Tool Please see this link:

Guide to Using the Basic Risk Assessment

We are also excited to tell you we will be releasing our entire Impact Tool in Early 2023 which will include the following modules:

  • Advanced Downtime Calculator & Financial Impact Analysis
  • Advanced Risk Assessment
  • Business Impact Analysis

Be sure to check out the Free Basic Risk Assessment Tool and share it with your friends and colleagues to help us spread the word about this great tool. 

Screen Shot of Basic Downtime Calculator

We are excited to announce and introduce our new and Free Basic Downtime Calculator Tool. The best part is it will be part of our Forever Free initiative™ to help businesses better prepare for disruptions and disasters.

Partial Screen Shot Basic Downtime Calculator Tool
Partial Screen Shot Basic Downtime Calculator Tool

We at the Erwood Group believe the Free Basic Downtime Calculator Tool is an important tool in that many businesses struggle to calculate and measure the true cost of downtime that impacts their business.

This struggle leads to issues in implementing the right strategies, recovery time objectives that are inappropriate to the business, and even shortcomings in proper insurance coverages leading to greater losses. Worse yet is the potential for extended losses or delays in revenue.

How bad is the problem? Bad enough that a Forrester survey conducted in 2011 discovered that while 55 percent of respondents claim their companies have calculated the cost of downtime, only 18 percent knew what that figure was. The Average Reported Cost Per Hour is near $350,000. According to the same report, 90 percent of respondents did not know the cost of their most recent disruption. Of the 10 percent that did know, to total costs of their most recent disruption, the average cost was $10.8 Million.

While it is obvious to most people that lost revenue causes problems, delayed revenue can be just as bad for small and midsized businesses that depend on the lifeblood of their cash flow.

Now a business can utilize our Free Basic Downtime Calculator Tool to determine the financial impact of disruptions to their business quickly and easily. You can access the Basic Downtime Calculator by clicking the link here:

Free Basic Downtime Calculator Tool by the Erwood Group.

For complete step-by-step instructions on using the Basic Downtime Calculator please see this link:

Guide to Using the Basic Downtime Calculator

We are also excited to tell you we will be releasing our entire Impact Tool in Early 2023 which will include the following modules:

  • Advanced Downtime Calculator 
  • Advanced Risk Assessment
  • Business Impact Analysis
Forever Free Initiative™

Our Forever Free Initiative™ by the Erwood Group is our way of addressing the perception that business continuity planning, contingency planning, and overall preparedness planning for business is too expensive and/or too complicated.

As part of this initiative, we are making two of the modules of our Impact Tool™ available to the public free to use. This is to enable them to better prepare and enhance their overall awareness of the impact on their business from a disruption or disaster.

The two modules that are free are:

Basic Risk Assessment Tool
Screen Shot of the Basic Risk Assessment Tool

We at the Erwood Group believe providing these two tools will greatly benefit businesses of all sizes. Though we know this will have the biggest benefit to the SMB market by making it possible for these businesses to assess their risks to hazards as well as the overall impact of these hazards on the business without having to worry about the costs to complete these basic and fundamental assessments.

Additionally, we are providing the ability to calculate the costs that a disruption or downtime will have on the business and allowing them to complete a basic Financial Impact Analysis on their business operations by utilizing the Basic Downtime Calculator Tool.

Screen Shot of Basic Downtime Calculator
Screen Shot of Basic Downtime Calculator

These tools have long been a part of our Impact Toolkit™ and have been developed and used for over a decade. Though these tools have been in use by us and some of our clients for a long time we recently decided to turn these tools into web-based, SaaS tools. 

Then we decided to make the two most basic and fundamental of these tools available to everyone. For Free. Out of this was born our Forever Free Initiative™. You don’t even need to register to use them. 

We look at this initiative as serving two primary purposes.

  1. To Give Back to the business community
  2. To Make Business Preparedness Accessible to businesses of any size

When I set out in this industry my main desire was to help small businesses to be able to prepare, prevent, and continue operating after or even during a disaster or disruption. Though to make this happen, we had to be at the point where we had enough work and revenue from mid-sized & large enterprises to sustain us.

This also paved the way for the creation and development of our proprietary Impact Toolkit™ simply called Impact™ and the eventual development of our web-based tools and system.

These tools and our system have also been utilized by us at the Erwood Group and clients over a long period of time, so they are tried, tested, and trusted. We simply did not just throw this together recently. Though we also have more advanced tools in our Impact Toolkit™ These two modules in our Forever Free Initiative™ are enough to get a business started planning, and robust enough to keep utilizing them far into the future.

Our paid subscription and advanced tools will have more functionality. For instance, our Advanced Risk Assessment also provides the ability to track risks over time, accounting for mitigation and control of the risks, and more. This will provide greater and deeper insights to risk mapping to the business over time.

The Advanced Downtime Calculator will also account for instances of lost productivity, and costs to catch up, for manufacturing and non-manufacturing businesses. You can also make and plan for adjustments based on various Recovery Time Objectives (RTOs) and other scenarios.

We will also be releasing a powerful Business Impact Analysis Tool as part of this upcoming subscription-based release soon.

Even though we will be making the main Impact Toolkit™ available through paid subscription only. Unlike other similar software that can cost $20,000 or more per year, we plan on keeping these affordable for every business.

Business Continuity Plans

Everything You Need to Know About Business Continuity Plans

Business Continuity Plans

Chances are if you’re visiting this page, you are new to the concept of Business Continuity Plans (BCPs) and business continuity overall. You may have just been asked if you have business continuity plans by a current or potential customer. Maybe you were asked by your manager or a business owner to create a business continuity plan for the business or department. If this is the case, you’re in the right place to learn everything you need to know about business continuity plans.

If you’re a seasoned professional, stick around and read through the page and I hope you can learn something new. Or, if you feel like something is missing feel free to add your input in the comments below. I’ll also add to this article over time as things change or develop as needed, or as I learn or try something new.

Let’s get started with perhaps the most basic question, what is a business continuity plan?

Definition of Business Continuity Plan

A business continuity plan is best described as the plan you would use if your business were impacted by a disaster or disruption so that you could continue providing goods and services to your customers and clients. I also like to just call it disaster planning for business. I prefer this because I like to keep things as simple as I can. Also, I have a feeling the above definition is most likely the one you will remember best.

For a more complex version of what is a business continuity plan, let’s look at the official definition from the Disaster Recovery Institute International (DRII) Glossary: A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level. NOTE: DRII takes this definition from the Business Continuity Institute BCI and Disaster Recovery Journal DRJ.

Another definition from the Federal Continuity Directive 1 is, Continuity Plan is a documented plan that details how an individual organization will ensure it can continue to perform its essential functions during a wide range of events that can impact normal operations.

While business continuity has been in practice since the 1970s and could be argued that it has been around since the 1950s through strategic planning it is something that is not common knowledge. We’ll get into the history of business continuity in another upcoming article. For now, we’ll just focus on where we are at today.

Today what we are seeing is what I like to call “trickle-down continuity.” What I mean by this is that most large enterprises have business continuity plans in place and they are frequently requiring their vendors and suppliers to have similar plans in place. More specifically, they are requiring suppliers to have plans in place to support the continuing production of the goods and services they supply to them.

For smaller and mid-sized businesses, the first time they even hear the phrase business continuity is often through a request from a current or potential client asking if they have a business continuity plan in place.

As mentioned earlier, most larger enterprise-type businesses not only have business continuity plans in place but entire business continuity programs that manage the entire business continuity lifecycle throughout the business. You can learn more about business continuity and business continuity programs through our recent article what is business continuity?

The business continuity plans are commonly developed around the core business functions and processes that are needed to support the key products and services provided to customers. For small businesses, it is common to have just one all-encompassing plan. For businesses that have multiple departments, multiple products, multiple services, and many moving parts to the business, it is best to have multiple plans for each of these functions.

What Goes into Business Continuity Plans?

As I just mentioned you’ll want to focus the business continuity plans around key business functions and processes. We’ll take a deeper dive into those business functions later, but let’s first focus on what goes into creating effective business continuity plans.

Typically, each business continuity plan contains certain key elements that are considered critical to the business operations. Some businesses include additional information specific to their business or operational area they deem important or even critical to the recovery of the department or function the plan is created around.

One important thing to know is that the Business Continuity Plan should contain all the information required to implement the processes and strategies to perform the business functions contained in the plan. They should also have steps listed supporting the strategies in such a manner that someone of the same skill set should be able to follow them, take the appropriate actions, and complete them.

For the purposes of this article, I will discuss the typical elements that go into creating a business continuity plan and lay them out as they would actually appear within your business continuity plan. If needed, feel free to copy the format and use this as your business continuity plan template.

These key elements are as follows:

  • Cover Page
  • Table of Contents
  • Business Continuity Plan Governance (sometimes omitted if in a Business Continuity Charter)
  • Business Continuity Statement
  • Business Continuity Plan Introduction
    • Purpose
    • Scope
    • Assumptions
    • Plan Activation
    • Roles
  • Business Continuity Planning Committee
  • Plan Revision Tracking and Approval
  • Key Contact Information
    • Internal Contacts
    • External contacts
      • Key Vendor Contact Information
      • Insurance Contact Information
      • Other Key Service Provider Contact information
  • Risk Assessment Key Findings
  • Business Impact Analysis Key Findings
  • Critical Recovery Timelines
  • Crisis Management Levels
  • Crisis Communications
    • Internal & External Communications plans & templates
    • Notification
    • Status Reporting
    • Status updates
  • Recovery Strategies & Steps
    • People
    • Properties
    • Processes
    • Technology
    • Vendors
  • Annual Exercising & Testing
  • Annual and Ongoing Review and Maintenance
  • Appendices with Supporting Documents, Tracking Logs, and Recovery Forms

The above is not meant to be an exhaustive list, but it is a great place to start with your business continuity plans. To some, the above list is also a bit of what they would call overkill as many of these items mentioned can be placed into crisis management documents.

While it is true that this is a lot of information to include within your business continuity plans, we are also working on the assumption that you do not have any planning done previously.

Let’s look at each area individually.

Cover Page

The business continuity plan cover page contains some key information. This includes the name of the plan, who the plan owner is, the date the document was last updated, and the version number.

All of this information allows you to quickly determine if this is the appropriate plan for the needed business functional area recovery and that it is the correct and most up-to-date version of the business continuity plan. 

Naming conventions usually follow a specific format that aligns with the needs and requirements of the business. Such as the following examples: 

Table of Contents

This may seem silly but including a Table of Contents within your business continuity plans is important to finding needed key information quickly in a crisis. Placing colored tabbed pages enables this even further.

Often these documents can grow quite large. Creating clearly defined sections and colorizing those makes it even easier to quickly find the information needed at the moment a disruption occurs. It also allows the main document to be broken up into sections so that the smaller documents can be distributed to teams to run each section. These sections can be created logically such as Operations, Finance, or broken into business recovery areas.

Business Continuity Plan Governance

For businesses that implement an entire business continuity management program, they will usually start by creating a charter that provides the details, framework, and lifecycle around the creation and processes around how the program will be run and how the plans will be created, maintained, and exercised.

For those smaller and mid-sized businesses that do not have a formal business continuity program in place, you’ll either want to create a governance plan or at the very least mention how the plans will be governed and created. Long-term, this should be done as a separate document.

Business Continuity Statement

Each plan should have a brief but informative Business Continuity Statement. These Statements are usually just one or two paragraphs but are never longer than a single page detailing the importance of business continuity to the business or organization. The mention of any alignment to the business mission statement and reasons for having a business continuity plan and program.

Usually, the business continuity statements will also make mention of any customer, regulatory, or other requirements the business is subjected to.

Additionally, it is also common to develop other customer-facing business continuity statements about the state of business continuity within the business and the importance of these plans and programs. Sometimes it will also include a section of Frequently Asked Questions (FAQs) and their answers with information about what to do for inquiring about these programs further. Business continuity statements such as these are often placed on the business website or in a package given to potential and current customers when they ask about your business continuity plans. 

Business Continuity Plan Introduction

The business continuity plan introduction is usually focused on the individual plan itself. It provides the overall high-level information as to the purpose, functions, and processes of what the business continuity plan is for. It may include the number of strategies or key functions the strategies are focused on.

Purpose

The introduction should also include a brief statement on the purpose of the business continuity plan as it pertains to the business and the key department and functions as part of the plan. This should also outline the specific activities of the plan including:

  • Detailing the departments and/or functional areas the plan covers and calling out the specific supporting processes that role up into the function
  • The key purpose – is the capability to restore these departments, functions, and processes to an acceptable level to support the goods and services provided to clients
  • Ensure a consistent and timely response to business disruptions
  • How the business and teams will work to recover these key elements in strategies and steps

Scope

The scope of the business continuity plan usually defines the key areas covered as part of the plan. This also sets the framework that can be applied across a variety of situations, events, disruptions, or disasters as the crisis dictates such as the loss of workspace, workforce, loss of a critical provider, vendor, or loss of technology.

Though some businesses develop plans based on a specific scenario or utilize scenario-based planning contingencies, it is best to set a scope a step above these scenarios. This is also a method similar to that in emergency management as All-Hazard planning.

For instance, rather than planning for a fire impacting the business, it is better to plan for the potential loss of the use of your facility. In the end, planning for and coming up with strategies for the loss of your facility, allows you to have these contingencies in place for a variety of situations that could render your facility unusable for any length of time.

The following are key things to include as part of your scope:

Loss of Workplace:

Loss of a workplace addresses the temporary or permanent unavailability of a primary work facility. Include the primary location of the facility in a manner such as shown

                [City, State] – [Insert Building Address]

Reduction in Workforce:

A reduction in workforce accounts for the temporary unavailability of the primary staff that supports the delivery of a given business process

Loss of vendor:

Loss of vendor services addresses the loss of core critical vendors and suppliers that support business operations

Loss of Technology:

Loss of technology addresses the loss of one or more core critical technologies including, applications, data, data center, and network, hosted and delivered by the Technology Department.

Assumptions

As part of your business continuity plans, you will come up with a core set of assumptions that will be part of your overall planning. These assumptions include parameters around the available services, components of business response, and capabilities, that are required for the business continuity plans to function as designed.

Should these assumptions not be aligned at the time of an event, disruption, or disaster additional modifications to the recovery strategies as outlined within the plan will need to be enhanced, changed, or improved upon.

Below are typical assumptions contained in a business continuity plan:

General Assumptions

  • Public transportation & infrastructure is available, and not disrupted
  • Personnel & team members can travel, as required
  • At a minimum, one identified method of communication is always available including email/instant message, land-line telephones, and cellular telephones
  • Some, experienced & trained personnel familiar with the department’s activities and the Response Procedures are available
  • Civil society infrastructure (e.g., Government, School Systems, Public transportation, Public Communications Networks, Utilities, etc.) may become stressed (short-term delays/disruptions) but will always remain reasonably functional
  • Plans are reviewed and updated upon material change or annually at a minimum

Disruption Specific Assumptions

Loss of Workplace:

  • Only one primary site or location is impacted or disrupted at any time
  • The length of the Workplace disruption may exceed 30 days in duration
  • Alternate sites & locations are not impacted and are available for recovery use
  • Any information/records/inventory/etc. not stored offsite will be inaccessible or destroyed
  • Specialized/unique equipment at the Workplace may be destroyed/damaged/unavailable
  • Remote access capabilities (VPN) can accommodate large-scale remote access of displaced employees either in a remote or relocated fashion
  • Ample physical workspace is available and geographically distributed footprint to accommodate critical/essential employees requiring physical workspace for an unspecified period

Reduction in Workforce:

  • Up to 50% of normal staff may be unavailable for 4-6 weeks
  • Other local and remote locations may suffer staff shortages concurrently
  • Key personnel may be unavailable/impacted (single-points-of-failure)
  • Standard Operating or Desktop procedures for the daily performance of business operations are documented, available, and managed by the owning business process department

Loss of Vendor:

  • Only one critical provider (e.g., vendor/provider/supplier/dependency) is unavailable at any given time
  • Providers will be able to re-establish services within their contractually stated SLAs as agreed upon and implemented between the business and its third-party vendors and suppliers

Loss of Technology:

  • Application restoration (Recovery Time Objectives and Recovery Point Objectives) and the overall Information Technology recovery timeline are estimated and actual RTO/RPO values are estimated
  • Business Continuity Planning will be for the loss/unavailability of an individual or single applications
  • Estimated workaround procedures, capabilities, and timeframes may change significantly due to a multi-application disruption scenario.

 

Business Functions

One of the key things to include as part of the scope is which key business functions to include as part of the business continuity plan. These should be core critical functions that are directly tied to providing core goods and services to customers that produce revenue or are tied and interdependent to revenue-producing activities.

You’ll also want to account for service level agreements (SLAs), regulatory requirements, reputational impacts on the business, and perhaps more. 

Plan Activation

You will want to place language within the plan that describes who, when, and what specific events and situations will cause the Business Continuity Plans to be invoked if you know them. Alternatively, especially among immature business continuity programs, crisis teams are activated and plans are invoked only after assessments confirm the need to start business continuity processes.

In other businesses that have more mature business continuity programs, you will often find pre-defined protocols for when to implement the business continuity plans. Some managers have authority and experience as to when to invoke all or parts of a business continuity plan. These are usually implemented over time based on previous experiences that led to situations where partial or full plans had to be invoked. An example of this would be the impact on a business supply chain or supplier and some of these processes need to be shifted quickly. 

Roles

You will need to include roles and responsibilities within your plans. Such roles should include Business Continuity Plan Owner and one alternate as well as team members responsible for implementing the BCP Procedures and strategies listed within the business continuity plans.

Responsibilities

Additionally, include clear responsibilities for each member of the Business Continuity Plans. Business Continuity Plan Owners are generally responsible for coordinating the team members and managing the invocation of the BCP. Though, they may also have to be the primary person implementing the plan if needed.

The team members are usually involved with performing the procedures in implementing the BCP as required. Any alternates are responsible for filling the roles where the primary person is unavailable.

Business Continuity Planning Committee

This is another element that is often covered in a business continuity charter document. However, again, small and mid-sized businesses may opt to include this information within their plans to address the lack of a formal charter. It simply outlines the purpose of the committee and the people on the committee. If the business is small enough, the committee may be the people involved in the plans themselves. 

As you select your committee make certain you choose someone to chair the committee and a Candance of how often the committee will meet.  

Plan Revision Tracking and Approval

A key element of any business continuity plan is to include plan revision tracking as well as the approval status and the current version of the plan is in.

This provides document control and ensures that when the plan is needed for use, those participants are utilizing the correct version of the plan. It also provides evidence of improvement over the course of time.

A Typical plan revision tracking looks something like the following:

Business Continuity Plan Revision Tracking
Business Continuity Plan Revision Tracking

Some plans will have a separate section for approvals like the below:

Business Continuity Plan Approval Tracking
Business Continuity Plan Approval Tracking

Additionally, the cover page of the plan will often have the version number as well. Long-term tracking is usually done in the appendix area of the document.

Key Contact Information

Every business continuity plan should contain key contact information for various areas. The most important contact information that should be in the business continuity plan is for the plan participants. These should be plan owners, functional area and process owners, and key people that will implement the business continuity plans upon invocation.

Be sure to include not just work email and phone numbers for these people but be certain to also include personal email and phone numbers so that these team members can be contacted during an emergency that may occur outside business hours.

Other key contact information should include the following:

Internal Contacts

Other additional internal key contacts should be included that are pertinent to the viability of the plan. Such as Incident Response Team members and their contact information. Other internal contact information may include other teams as well.

External contacts

You’ll want to include important external contact information. Some of this information can be broken into separate sections such as critical customers, critical vendors, and service providers, or placed on a single page if it fits.

You’ll certainly want to include contact information for the following:

  • Facility Management Provider/Building Owner
  • Utility Providers
  • Key Contractors – Electrical, Plumbing, cleaning, Locksmith, etc.
  • Internet and Telcom Providers
  • Legal
  • Insurance
  • Local Emergency Numbers beyond 911
  • Local hospital numbers
  • Local Emergency Management Office Numbers – EOC
  • Restoration Cleanup providers
  • Document Recovery and Salvage providers

The above is not meant to be an exhaustive list but a starting point. You’ll want to add external contacts based on your own business needs and concerns.

Risk Assessment

A Risk Assessment (RA) is often one of the first things you’ll do after the initial business continuity program creation. You’ll want to include key findings from any risk assessments that were performed. You do not need to include everything or go into deep detail about the risks the business faces. Keep it a high-level overview, and perhaps a direct list of the top 3 -5 risks but I would not go beyond the top ten risks the business is facing.

Business Impact Assessment

The business impact Assessment or more commonly referred to as the Business Impact Analysis (BIA) is the method for assessing the impact various events will have on the business. You will also want to document that the business has conducted a business impact analysis (BIA) within the business continuity plan. Again, there is no need to document this in fine detail. Just the high-level key findings discussing the greatest potential impacts to the business, the potential monetary and operational impacts, and how you might respond in a high-level way.

Critical Recovery Timelines

Sample Business Continuity Recovery Timeline
Sample Business Continuity Recovery Timeline

You will want to lay out any critical recovery timelines that are key to the portion of the business continuity plan. You’ll want to include your Recovery Time Objectives (RTOs) for each process and the Maximum Allowable Downtime (MAD) for the function.

The below image is a sample Recovery Timeline Chart. It lays out each stage of the recovery process and is put into a timeline format so that a business can gauge where they are at in the process and how long it may be estimated to last.

The timeline is not a set-in-stone timeline, but an approximation based on things that usually happen during the recovery phases.

 

Crisis Management Levels

In many cases, a business continuity plan will also set different crisis management classification levels. Though again, more often placed within Crisis Management documents, some plans include a variation on specific levels of a crisis.

For example, a level one or L-1 could be a crisis or incident in which a facility has sustained damage, but it is minimal and contained within a specific area. The building can be entered but might be closed for up to 5 days or one business week for repairs. On the other hand, a level four or L-4 can mean major damage to the facility. The building is incapable of being occupied and repairs could take a month or longer. Delays in getting permission to enter the building to conduct repairs started are possible.

Ultimately how and what you decide to call out different levels of crisis or sustained damage will be up to you. Creating a defined set of criteria for this beforehand makes it easy to determine what level you will likely be at and works in conjunction with your recovery timeline to gauge how long your business could be disrupted. It also saves you significant time during the crisis trying to figure out how long the disruption and recovery might take.

Crisis Communications

Another key component to include within your business continuity plan is a crisis communications plan. This should primarily be centered around how and when to contact the key specific team members needed to enact the business continuity plan elements during an invocation.

As mentioned previously, key contact information should be included within the business continuity plan so that you don’t have to go hunting for that contact information when it is needed most.

The crisis communication part of the business continuity plan should include who to contact or how initial communications during an incident or crisis should be made. This includes notification and activation of any crisis management team, the business continuity team members, management, and or key specific employees.

Notifications

Notification of staff, management, and crisis teams is essential during an event or crisis. The quick this is done, the better the response and outcome you’ll likely have.

It is best to set up predefined steps and systems to provide these notifications ahead of time. It can be done through a third-party notification system, through email, by phone, or any other method or combination of methods you choose.

One common method still used today is using a call tree to have designated people call specific recipients. If you have a recovery team, crisis management team, or incident management team (or other terms of your choosing) they should be one of the first groups to get notified.

Call Tree

Business Continuity Call Tree
Business Continuity Call Tree

A major element of this should also include a Call Tree element of who is supposed to contact whom. The call tree is usually utilized in making initial notifications of an event. It doesn’t need to be complex but should be clearly defined. An example call tree is shown below.  

Communication Templates

As part of your Crisis Communications, you will want to develop crisis communication templates to utilize during an incident, crisis, or disaster. You should have two sets of templates created. One for internal communications and another set for external communications.

It’s best to create some predefined templates with a fill-in-the-blank format so that they can be created quickly, and efficiently so that people aren’t scrambling for what to say during a crisis.

Internal Communications

For internal communications, you’ll want to have key specific messages sent or provided to employees. Some key quick messages that should be ready are:

  • Notifications to staff on staying home, working remotely, or reporting to an alternate location
  • Notifications to stand-by, and/or wait for further instructions
  • Notifications to call specific phone numbers, at specific times for additional information and instructions

External Communications

As for internal communications you’ll want to have clearly defined external communications ready for several different recipients. For example, you’ll want to communicate one message to your customers if needed as to what happened, how long you expect to be disrupted if you have disruptions, what you are doing specifically to continue to provide goods and services, and how long you expect to be operating at this level if known and any contact information where they can call in for additional information, or better yet when the next update can be expected.

You’ll also want to develop messaging for your vendors and a third set of communications to provide to the media and for public consumption.

Picking a Spokesperson

You’ll also want to pick a spokesperson or Public Information Officer (PIO) especially if you need someone to talk directly to the media. While most businesses make their own choices as to whom the spokesperson will be, we recommend that the person chosen should have some type of media training.  

Status Reporting and Updates

As part of your crisis communications, you should have a system set up for receiving incoming status updates as well as reporting out status and situation reporting. Typically, this is done hourly, but your crisis response team should set the tone and pace for outgoing updates.

In setting the tone and pace be certain to end each update with a specific time as to when the next status report update will occur.

For more on managing a crisis please see our article on Crisis Management Response and Teams that we will be posting soon.

Recovery Strategies & Steps

The development, creation, and inclusion of recovery strategies and their supporting steps is a key fundamental element of your business continuity plans.

Without them both your business continuity plans will be lacking the necessary steps to implement the required processes to provide minimally acceptable functions to provide a continuation of goods ad services to customers.

In fact, one of the reasons why business continuity plans fail is the lack of viable strategies backed by actionable steps.

As we mentioned earlier, it is best to create strategies around certain key specific areas, rather than specific scenarios. The more strategies for each area that you have the greater the likelihood that you will be successful in your ability to execute and continue your business operations.

Here are those key Areas:

People

When creating strategies for your personnel you should start by thinking in terms of sudden and severe staffing shortages. Some questions to consider are:

  1. What is the minimum number of people required to run or implement a function or process?
  2. Do we have cross-trained people that can backfill or shift to cover that function or process?
  3. Does moving personnel to cover a function or process leave another function short or incapable of being completed?
  4. Can personnel on shifts work longer or different shifts without impacting output or capacity?
  5. Can this function or process be completed easily by temporary workers?
  6. Do we need to hire new workers?
  7. How long will it take to train new or temporary hires?

Of course, the above doesn’t account for every situation. I have clients that operate globally, and they have plans to send key staff to other geographic locations in situations where personnel need training. Strategies such as this require additional elements and planning steps. For instance, could a person easily enter the destination country? How long can they stay? What other logistical considerations are required? All these things should be thought out beforehand.

Each strategy selected should be put into place in the order of preference or order they should be completed. If there is no specific order of preference for the strategies, they can still be numbered to track the various options you have available to you. Here is an example:

Strategy 1 – Utilize Existing Staff to Backfill

Strategy 2 – Hire Temporary Staff

Strategy 3 – Hire New Workforce

Steps

Each strategy should have clearly defined ordered steps that should be taken once a strategy is to be implemented. Let’s look at the above Strategies and Call out steps to complete each.

Sample Business Continuity People Recovery Strategies
Sample Business Continuity People Recovery Strategies

Again, the above is not meant to be all encompassing but to provide you an idea as to what is required to support each step. The more specific you can make it the better it will be. For instance, instead of saying call temp agency to increase staffing levels, call them out by name, like this – Call XYZ Staffing Agency at (123) 456-7890. If you have a key contact or account manager there, you can even include, ask for Betty or Steve. The more specific you make it for your business, the better, smoother, quicker, and more efficient your recovery operations will go.

Property

Most businesses will just be concerned about facilities in this section. While that is the key focus here, I also utilize this section for critical and key assets and equipment as well. In this case we break them into their respective sections and have one for each – Facilities, Equipment, and Assets.

In one case, a client we had many years ago was an original equipment manufacturer in the high-tech industry. One of their key pieces of equipment was a million-dollar scanner and had a long lead time. The business had only one of these at the time we were developing their business continuity plans.

The main strategy was to relocate the equipment from the main facility to an alternate facility across the globe by moving it and flying it to an overseas facility until they could acquire an additional one.

Just like in the section for People, Property should lay out each strategy and the supporting steps. Let’s look at some examples for the loss of your facility:

Strategy 1 – Have Staff work Remotely

Strategy 2 – Utilize Space at Vendor Location

Strategy 3 – Utilize Alternate Location

Strategy 4 – Acquire a New Location

Steps

Again, each strategy should have clearly defined and ordered steps to take for each strategy called out.

Sample Business Continuity Facility Recovery Strategies
Sample Business Continuity Facility Recovery Strategies

Follow the same steps above for each additional critical asset or piece of critical equipment for the function or process.

Process

For each process that this department or function requires document the strategy and steps that will be implemented to complete them.

Let’s look at a few examples of how some businesses handle strategies to implement processes and tasks outside their normal methods.

Strategy 1 – Utilize Alternate Method – Spreadsheet  

Strategy 2 – Utilize Alternate Method – Notify Bank to Utilize Previous Weeks Payroll

Strategy 3 – Utilize Alternate Method – Use Phone to Take Customer Orders

Sample Business Continuity Process Recovery Strategy
Sample Business Continuity Process Recovery Strategy

Again, the above is meant to be an example, but taken from real responses. You’ll have to work out what is best for your own situation and business. Also make certain that the supporting steps are able to be carried out by your team.

Technology

The technology section usually covers core critical applications that play a functional role in providing or supporting critical processes. For instance, Salesforce, SAP, NetSuite, and other such applications.

Here are some examples:

Strategy 1 – Wait

Strategy 2 – Utilize Alternate Application  

Strategy 3 – Utilize Alternate Method – Spreadsheet

Sample Business Continuity Technology Recovery Strategy
Sample Business Continuity Technology Recovery Strategy

Vendor

It is best to utilize multiple vendors whenever possible. It is just as important to source secondary and tertiary vendors prior to an incident occurring. Yet, many businesses continue to utilize source at time of incident, I highly recommend you do not wait for an incident to occur.

Whether your vendor supplies a product or a service, you do not want to rely on one vendor and have them be impacted by an incident and stop suddenly serving you.

There are vendors that are the only ones that provide key products or services. Some of these single source vendors have a long lead time as well for obtaining new product. If this is the case, try to anticipate future needs and acquire or purchase the equipment or product before you need it. In many cases barring a disaster you should be able to accurately forecast for your future needs.

Equipment and Asset Location

Any team that requires critical equipment or assets to complete a function or process should know the specifics about these key items including, where they are stored, and what vendors they are associated with.

For instance, facilities should be able to locate and shut off, power to the building, main water shut-off valve, main gas shut-off valve, HVAC power cutoff, Sprinkler system shut off valve, etc.

You may have a key locker, decontamination equipment, laboratory equipment, laser cutters, CNC machines, key records, and documents, etc.

The location, key numbers, serial numbers, vendor, replacement cost, etc. should all be documented.

Annual Exercising & Testing

I generally do not like to use the term testing as some feel it has negative connotations. However, it is also a widely used and accepted term as is exercising. The main reason I avoid the term testing is that it causes some people unneeded and unnecessary anxiety. There is no need to make people feel like they are being placed under a microscope and examined.

With all of that said, annual exercising of business continuity plans should be the minimum number of times the plan is exercised or put into practice. Some, businesses will exercise some plans twice per year. Others struggle to meet the minimum requirements, and those businesses tend to run into trouble for several reasons.

 First, if the plan is not being exercised yearly at a minimum, it is not likely being maintained or updated either. As the yearly exercise usually provides insight into needed changes to the business continuity plans.

Second, the more time that goes by without exercising, the less practice teams have in implementing the plan, and the more outdated it becomes.

When it comes to exercises, I developed an easy to implement and follow methodology called Learn, Practice, Implement, Challenge™.

This methodology has generated a lot of success among our clients and provides a clear definitive process of progressing through the maturity levels of both a business continuity exercise program, but to the overall business continuity program as well.

You can learn more about our proprietary exercise methodology Learn, Practice, Implement, Challenge™ here.

One additional thing we provide to our clients is an exercise scenario booklet that they can utilize to conduct quick exercises and discussion around impacts, recovery strategies, and more. These are designed for teams to add a 3–5-minute discussion around their planning during scheduled team meetings.

This also provides these teams with an edge and the ability to exercise on a small scale more frequently without being disruptive to normal business operations or requiring many resources.  

For overall exercising of your business continuity plans It is best to set at minimum a yearly schedule at the outset of the program or planning initiation. Once the business continuity plans are at the end of their initial completion a tabletop walkthrough of the plan should be done.

I’ll be doing an upcoming article to provide more information and a deeper dive into conducting exercises soon.

In the meantime, please check the following articles on the Erwood Group Blog.

Why We Exercise Part 1 of 2 and Why We Exercise Part 2 of 2

Annual Review and Maintenance

Each business continuity plan should be reviewed and updated annually to ensure it is maintained in perpetuity. Ideally, each plan will be updated as key changes to personnel, processes, technology, and other changes occur.

If done in this manner, an annual review will be easily done with a quick once over, a brief exercise, and updated per key findings that come out of post exercise debriefings.   

It is important to note here that another key reason for business continuity plan failure occurs when the plan is not dutifully maintained and becomes out of date. Usually when this happens, it is no longer about updating the plan but creating a new one beginning the process over again.  

Appendices with Supporting Documents, Tracking Logs, and Recovery Forms

The appendix is where you will want to keep key documents needed as part of the recovery process. This includes Vendor lists with contact information, tracking logs, and recovery forms.

Some Additional Information on Business Continuity

The below is some additional information about some key terminology used within the business continuity, contingency planning and disaster recovery industry.

Continuity

If you need more information about business continuity, take a look at our recent article What is Business Continuity and don’t miss our whitepaper on the Importance of Business Continuity too.  

BCP and BCP Meaning

The Business Continuity Plan, commonly referred to as a BCP in the business continuity planners within the contingency planning industry is an important document or series of documents utilized to recovery core business functions so that you can continue to provide goods and services to your customers at an acceptable level.

What is a Business Continuity Planner?

A business continuity planner is more of a loose phrase that also covers business continuity manager, business continuity analyst, contingency planner and many other such positions. A business Continuity Planner is the person who works within a business to organize, coordinate, develop, and create business continuity plans and programs. They are also charged with overseeing the future ongoing processes lifecycle, maintenance and improvement of the business continuity plans and programs.  

Business Continuity and Disaster Recovery

There are many that speak of Business Continuity and Disaster Recovery interchangeably. However, the truth is they are more nuanced than that. Business Continuity really refers to the overall business functions and processes and keeping the business operations running while Disaster Recovery (DR) is really Information Technology specific. It is also referred to as ITDR. The ITDR focuses on applications, data, network infrastructure, data centers and all things IT related.

BCP vs DRP

Well, this is a bit more complex, as some vendors and providers like to spin or develop their own language around what is and isn’t something is. In the last several years, Disaster Recovery Plans (DRPs) have become synonymous with a Business Continuity Plan (BCP). We here at Erwood Group prefer to utilize the term BCP over DRP since the term Disaster Recovery is usually reserved for Information Technology and is also referred to as ITDR.

We have seen the use of the term DRP generate confusion in the businesses that use the term. This is one of the reasons why we recommend the term BCP over the DRP terminology.

However, the terminology used is also most often selected by the client and the use of this term is becoming more commonplace.

Let’s set the record Straight

BCP

As previously mentioned, we stated clearly what a BCP is. It is focused on continuing business operations at an acceptable level. BCPs are focused on the business processes and supporting tasks as well as the technologies that are utilized to complete them. It is not just a risk assessment or business impact analysis as those are separate documents. The RAs and BIAs are usually only just briefly mentioned within the Business Continuity Plans. Check our definitions at the top of the article if you’re still not sure what a Business Continuity Plan is.

DRP

Some people are stating that the DRP or Disaster Recovery Plan is the plan that is required to recover the business functions and processes. While this is incorrect and can cause confusion, it is becoming more common to use Disaster Recovery Plan (DRP) to refer to the overall business recovery plan in place of calling it a business continuity plan. Where this causes confusion is that Disaster Recovery (DR) or Information Technology Disaster Recovery (ITDR) as mentioned above are intended to be technology specific. 

So, when you’re referring to one over the other it is best to avoid confusion, especially during a crisis. When someone says “refer to your Disaster Recovery Plan” it is important to know exactly what they mean. This is why it is also important to keep your crisis communications simple and to the point.  We hope you’ll agree and keep the language less confusing.

What Business Continuity Is Not

Another area of confusion created by some providers is that some of them sell appliances in hardware software, cloud-based, and other hybrid models as providing business continuity. While some of these appliances do assist with disaster recovery and some with business continuity to a specific area, there is no one single or multiple devices or appliances that provide real and complete business continuity to a business.

BCP Reporting

Business Continuity Plan Reporting is usually done at a rate the best applies to the business needs. Many will run monthly or quarterly reports as to the status of plans, exercises, and updates and yearly reviews. Most will perform this task yearly when annual reviews are due for accountability purposes.

Risk Assessment Reporting

Risk assessment reporting is usually done by an internal risk management team and reporting generally is reserved for executive management who are the primary target audience. Sometimes this is done quarterly. I recommend that if done infrequently businesses stay abreast and aware of emerging risks either internally or externally.

You can do this by subscribing to the Erwood Groups Annual Emerging Threat Report or through our weekly View 360 Report. Subscribe to both and stay up to date on all current and emerging risks that may impact your business.

Business Impact Analysis Reporting

Business Impact Analysis reports are presented to executives and business continuity program sponsors and stakeholders to provide both high-level and fine details of the current impacts the business faces. These are often done every three years or when BIAs are conducted.

Financial Impact Analysis

The Erwood Group specializes in and has developed proprietary tools to conduct Financial Impact Analysis for businesses along with our BIAs. This allows businesses to set better strategies and Recovery Time Objectives that are backed financially and provide a more effective cost-benefit analysis of the business recovery strategies.

Recovery Time Objective

The Recovery Point Objective (RTO) is a key finding that sets the timeframe from the declaration of an incident until the recovery of a business function or process.

Recovery Point Objective

The Recovery Point Objective (RPO) sets the amount of data in a specified period that a business can lose. For example, a four-hour RPO sets the acceptable loss of data at 4 hours.

Maximum Allowable Downtime

Maximum Allowable Downtime (MAD) is the maximum amount of time the business can have a function or process that is unavailable. It is usually the least common denominator, or the shortest RTO defined in the processes for that function. For example, if a business function has process 1 with an RTO of eight hours but process 2 at four hours the MAD would be 4 hours.

BCP Software

There are numerous companies and providers of BCP software available on the market. I have used nearly all of them in supporting various clients. The most common question is which is the best?

This really depends more on the business needs, the cost of the software over the life of the program, and the ease of using the software.

Generally, they all do the same thing. Assist you in creating, managing, and storing your business continuity plans.

They also present their own problems. Using software, it is easy to just go through it and select check boxes and move through the process without deeper expansion.

In many cases, it also presents a single point of failure as most businesses will only keep their business continuity plans within the software being used. I have seen this fail many times. Don’t allow your business continuity software to become your single point of failure.

In conclusion, I hope that this information is enough to get you started on building your business or organization’s business continuity plans.

If you still have questions or need additional help, please schedule a consultation and we’ll be happy to assist you.

Business Continuity

What is Business Continuity

So, what is business continuity anyway? It’s a great question. It’s also a question that comes up all the time. It should have a simple answer, yet the definitions and answers I hear are often long-winded and complex. So, what is business continuity? Before I give you my answer, let me provide you with the definition from the National Fire Protection Agency (NFPA) 1600 (Which is their Business Continuity Standard).

According to the NFPA 1600, Business Continuity is An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services.

I like to keep things simple, so the above is the simplest of all the definitions out there. What do you think about the definition? Do you like it?

Yeah, me neither. As I said, I like to keep things simple. So, let me give you, my definition.

What is business continuity? It is disaster preparedness for business.

Disaster Preparedness for Business

There you go. Now it doesn’t get much simpler than that, does it?

Just in case, here is a video by the Business Continuity Institute (BCI) explaining what business continuity is.

Now that we know that business continuity in its simplest form, is disaster preparedness for business; we need to discuss more how as a business we properly prepare for disasters and disruptions.

Let’s start by looking at the Professional Practices for Business Continuity Management created and maintained by the Disaster Recovery Institute International (DRII).

According to the DRII, Professional Practices are a body of knowledge that provides a framework to develop, implement, and maintain a business continuity program that reduces the likelihood for significant gaps and increases the cohesion of the business continuity program.

The Professional Practices are broken down into ten areas as follows:

  1. Program Initiation
  2. Risk Assessment
  3. Business Impact Analysis
  4. Business Continuity Strategies
  5. Incident Response
  6. Plan Development and Implementation
  7. Awareness and Training Programs
  8. Business Continuity Plan Exercises, Assessment, and Maintenance
  9. Crisis Communications
  10. Coordination with External Agencies

Addressing each of the areas named above as part of your business continuity program increases your ability as a business to recover and operate the business. To continue to provide goods and services to your clients and limit potential losses to revenue, reputation, and customers.

Business Continuity Program Initiation

One of the most important parts of a business continuity program is getting it started in the right way. Doing so sets both you and your business up for a successful program.

Here is how to get your program started the right way.

Establish the need for a business continuity program

The first step is determining the need to start a business continuity program. While every business has the need and should have a business continuity program and plan, establishing the need for a program within the business is not always easily accomplished.

To establish a Business Continuity program, you will need to gain the support of others within your business.

Obtain support and funding for the business continuity program

Sometimes gaining support is easier said than done. Here is how to go about gaining support for your business continuity program.  You will need to speak to your colleagues, managers, and executives within the business to obtain both support and funding for the business continuity program.

While business continuity is often looked at as a cost center in that it doesn’t directly attribute revenue to the business, it is an extremely important activity that reduces potential and real losses in revenue in several ways. It also reduces costs. Let me provide you with real examples that some of our clients have had results with.

One client recently obtained a $500 Million dollar increase in insurance coverage with zero increase in premium costs. This was done based on the Business Continuity Plans and Program developed after meeting with the insurance providers and providing details of the program and progress made.

Another client was able to reduce potential losses of over $149 Million by reducing Recovery Time Objectives (RTOs) from 45 Days to just three days and planning accordingly resulting in a savings of 93% or $139 + Million Dollars. With the new strategies in place, the potential loss over three days was approximately $10.5 Million dollars. However, since the RTO was reduced to just three days, the likelihood of a loss in revenue was effectively reduced to zero since the customers being served would likely not leave based on just a three-day disruption. This assumption was made based on historical data from other national labs.

 Additionally, many businesses are asked to meet business continuity and disaster recovery requirements from their customers that want them to ensure that the products and services they provide to them are met even after a disaster or disruption. This allows for businesses that have robust business continuity programs in place to increase their pricing as well.

One of the methods we use here at the Erwood Group is to provide our clients with a Financial Impact Analysis that allows them to visualize the monetary and economic value and utility of implementing a business continuity program. Additionally, we also like to educate them on the many ways in how business continuity provides value to a business.

Once we change the conversation with business executives and managers to how business continuity provides value and show various ways the business can reduce costs and obtain a return on investment (ROI) implementing a business continuity program just makes sense.

Build the organizational framework to support the business continuity program

Support from executives isn’t the only type of support you’ll be needing. An effective business continuity program needs to create an organizational framework, systems, methodology, teams, charters, and supporting statements and policies to be in place to support the needs and requirements of the program.

Additionally, you’ll need someone, preferably a team, that works on and within the business continuity program on a continual basis to keep the program running smoothly.

Charters. Polices, and Statements

Charters, Policies, and even statements can and should be created. The biggest question is which do you need? Ultimately it depends on the needs and requirements of your organization. However, at the very least you should have a general Business Continuity Statement that you can provide to customers that ask if your business has a business continuity plan or program in place. I’d also recommend having a client-facing business continuity statement on your website that is viewable to all current and potential future clients. Keep these statements at a very high level and provide a point of contact if someone wishes to formally ask deeper questions.

A business continuity charter outlines the overall program in its scope, timeline, standards used, its purpose, who heads it and has ownership, the departments, team members, or key players, the implementation of a steering committee, the lifecycle of the planning and program, the actual details of the framework to develop, implement, and maintain the plan and programs over time, and how often reviews and exercises will take place. Ultimately, it is a highly detailed document with executive approval and signed that details the processes of how the business continuity program will be run, managed, and overseen.

A policy is a high-level document that states business continuity is part of the business, is organizational-wide, and discusses standards and rules as enforced by the business. It is not as detailed as a program charter is.

Do you need a Charter and a Policy? No. However, if given a choice a charter with its details should be the first and optimal choice. If your organization requires a policy, you may opt to develop both or create a policy that has the depth of a charter.

Steering Committees

Depending on the size of your organization, or as a matter of policy within the organization you may need to or want to create and have the support of a steering committee for your business continuity program. In a smaller business there may not be a need for one, but in a large business with a lot of resources, moving parts, and constant changes it is almost a necessity.

It is usually best to have steering committee members made up of upper management teams that oversee the departments that will be involved in the business continuity program so that they add authority and convey the importance of getting the program off the ground and running smoothly.

In the beginning initial stages of the project, it may be necessary to meet more frequently, but ultimately meeting once per quarter is often enough.

How Many and What Departments Will Be Involved

This is the best time to start planning how many and which departments will be involved. What you want to do primarily is focus on core critical business functions. The difficulty arises when you have a large enterprise with many critical functions spread across the globe.

In the case of large global businesses with many critical core functions, it is best to start this planning early and this is how many larger companies run into trouble or get ‘Stuck’ in one of the phases of the business continuity program process. If you have gotten stuck – Learn How to Get Unstuck in Your Contingency Planning.

At this stage, it’s best to start planning your strategy for how you will move each department through each of the phases of the program. Usually, with 10 or more departments, I usually recommend breaking them into groups of five. This allows you to conduct your first set of Business Impact Analyses and then to quickly move this first group into a strategy selection phase while the BIA is still fresh in their minds.

The BIA phase is a key area where many businesses get stuck. They try to cycle everyone through the BIA phase before moving to the next phase. The reason this becomes an issue is it takes time to do over a large set of departments, functions, and groups. By the time you reach the end, often years later, the original BIAs become stale and irrelevant, and people also have forgotten what was discussed.

This also accounts for a lack of progress and therefore executive buy-in starts to wane and diminish as well.

Here’s what we at Erwood Group do. As we move the first cohort into the strategy selection phase, we also bring the second cohort into the BIA phase. We continually cycle each group through the phases this way to avoid getting stuck, to show progress, and keep executive buy-in, and group participation high. It allows others to see progress being made and achieved. It also assists in boosting results and maintains the momentum of the program.

As soon as you can determine what departments or functions will be taking part break them into smaller cohorts. Then begin laying out your project roadmap through the phases of the business continuity program.

Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing

This is also the best time to introduce and discuss the key concepts around developing and implementing your business continuity program. You’ll want to discuss the following with your colleagues and management.

Business Continuity Program Management

It’s important to lay the groundwork early on around how the business continuity program will be managed over the short-term including how the program will be initiated, developed, and progress into a long-term, everlasting program and how over time you will get there.  It’s important to discuss as you will want to include these key details into the charter we discussed earlier.

Risk Awareness

You’ll want to address and raise risk awareness around the risks that the business faces as well as their impact on your business and operations. This is particularly important if you do not have a risk management team in place currently.

Identification of Critical Functions & Processes

Before proceeding with the various phases of the program initiation and development, time should be spent identifying core and critical functions and processes that are required to keep the business running.

These Functions and processes should be focused on:

  1. Life Safety
  2. Revenue Generating or Revenue Sustaining
  3. Customer-Centric Contractual Agreements (SLAs)
  4. Regulatory and Compliance Related
  5. Other Legal Obligations

Note: In many cases, most businesses will need to worry about things like shelter-in-place or evacuation of people and that’s as far as their life safety concerns need to go. However, for other settings such as in healthcare facilities, life safety considerations need to be first and foremost prior to considering revenue generation. Not that revenue generation is not important in these facilities, but that life safety considerations need to be at the forefront.

Also, doing this early and having a clear determination on which functions and processes to consider for your business continuity program and which will have business continuity plans developed will prevent you from getting stuck on which areas of the business or organization should participate.

If not done with the outline presented above, you will, and still may face a lot of pushback from other functional areas that consider themselves critical. They may in fact be during normal business operations, but in the grand scheme of continuing operations during or post-disaster or disruption these will have little impact on the organization until operations return to normal.

Recovery Strategies

Now is the time to meet with executives to establish sensible and workable business continuity recovery strategies.

For instance, most businesses today declare that employees can work remotely, and this is perfectly fine. We just need to be sure that processes and systems are in place to handle this. Since the COVID-19 lockdowns have occurred, this is generally not an issue in most cases today.

However, some businesses can’t have every staff member work remotely. Such as manufacturers, laboratories, distribution centers, and other warehouse workers are needed to keep working at specific locations and in many cases, they require specific pieces of equipment to continue working. 

In some situations, employees need to shift work to an alternate worksite. Considerations for notifying employees, and even providing transportation and/or accommodations to employees may be required as well.

You’ll need to select viable business continuity recovery strategies for the following areas:

  1. People
  2. Properties
  3. Processes
  4. Technology
  5. Vendors

Training and Awareness

This is also a great time to begin to think about how you will conduct training and awareness within the business continuity program. There will be two key times for raising awareness and several opportunities to conduct training.

The first real opportunity to generate awareness will be to have business continuity program kick-off staff meetings. Holding these meetings is your best first chance at providing high-level awareness around the business continuity program, how it will be conducted, who will be participating, who at the executive level is supporting the effort, what resources are required, and how much time will be needed, and key the phases. Another key time for raising awareness is during exercises.

Depending on how you implement, develop, and run the program you’ll have several opportunities to provide training. There can be training provided prior to or during key phases of the program. The number one method of providing training throughout the program into the future will be during exercises.

Exercises, Training, and Testing

As we just mentioned, you will be conducting exercises once the plans are developed. This is done to look for weaknesses, gaps, learning (training), awareness, building confidence, developing new strategies, working with interdependent groups, discovering new interdependencies, and more.

While many use a “Crawl, Walk, Run” approach (I hate that saying) we at the Erwood Group developed our own methodology and system developed by our own Keith Erwood Called Learn, Practice, Implement, Challenge™.

The reason I hate the crawl, walk, run saying is that it is too vague and provides no real insight into what you should be doing during the exercises. It provides no information on what the overall goal of the exercise should be or at what stage in the process or program the teams are at.

This is the main reason why Learn, Practice, Implement, Challenge™ was created. It provides a clear set of objectives that should be happening at each stage. It also provides a logical progression of where we should be over time. Ultimately, the end goal of a mature program is that we should be able to hold exercises that push seasoned plans and their teams to grow and expand and find new ways or strategies to overcome any obstacle. It also provides a safe environment to learn (potentially to fail and learn in a safe way), and to build skills and confidence in the teams’ capabilities.

We’ll talk more about exercises later. Just know that the Learn, Practice, Implement, Challenge™ methodology can and should be implemented as part of the business continuity program development as well.

Risk Assessment

Risk Assessments are extremely important to conduct and it is in fact one of the reasons Why Business Continuity Plans Fail when they are not done or done inadequately. 

A Risk assessment can be basic or complex as to its depth, but it should not be glossed over or skipped. If you’re part of a large organization that has some type of existing risk management team in place, partner with them to obtain the latest risks to the business.

If your business or organization has no risk management team or process in place visit the Chief Financial Officer as they are the ones responsible for operational risk and find out if a risk assessment has been done.

If no risk assessment has been done, it is easy to do a basic risk assessment. If you need a resource for this, you can click the link to obtain our free basic risk assessment. If you need something more robust for your risk assessment than our free resource, contact us to see if you require our Advanced Risk Assessment Tool.

One thing I want to add in this section is a brief statement on risk management. Risk management is important to all businesses. Done properly, risk management allows you to take advantage of upside opportunities, while mitigating downside or negative risks and outcomes.

Overall, risk management is looking at the impacts of what if this scenario occurs. And business continuity, as a subset of risk management and business preparedness preparations, is what we do when that situation occurs.

Identify risks that can adversely affect an entity’s resources or image

The purpose of the risk assessment is to identify the business or organization’s exposure to certain events (most likely negative at this stage) and put mitigation strategies in place to reduce the impacts

Additionally, we at the Erwood Group like to define the top five and top ten potential risks to a business or organization and directly call those out so risk mitigation and controls can be put into place.

Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts

Once the risks and the probability of occurrence are assessed, we begin to look at the impacts on the business should these events occur.

This brings us to conducting an in-depth Business Impact Analysis. 

Business Impact Analysis

 

The Business Impact Analysis commonly referred to as the BIA is one of the most important phases of your overall business continuity program. It is the method used to gather data about your core and critical functions and processes, essentially setting the foundation for your business continuity program and business continuity plans. You’ll use the BIA to gather all the data and information you require to analyze and make key decisions in the development of your business continuity plans.

Here are the key things you’ll be doing with your BIA.

Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available

 

The first step is to identify and prioritize the functions and processes within the business. You’ll then usually work with the most critical and core functions and processes first. This is especially true if you have many business functions and processes within your enterprise. 

Assess the resources required to support the business impact analysis process

 

Prior to beginning the BIA you’ll need to identify the best resources and Subject Matter Experts (SMEs) for each function and process.

You’ll need to schedule time for each resource and SME for interviews, completing surveys, and potentially completing workshops. It’s best to separate each cohort by department, function, and process to gather the necessary data and ask questions during the interview and workshops.

Key Data to Collect during the BIA

Recovery Time Objective (RTO)
Recovery Time Objective

You’ll want to gather some very specific information during the BIA phase for each function and process. This includes:

  • Recovery Time Objective (RTO) of the process
  • Any Dependencies and Interdependencies on other internal or even external groups
  • Applications, Data, and other Technologies the process requires
  • What is the Recovery Point Objective (RPO) of any data that is input into the system?
  • How many people are required to complete the process?
  • What vendors are relied on for this process?

You’ll also want key contact information, especially for vendors and key employees required to complete specific processes.

While many businesses try to collect the absolute minimum data required for expediency, we at the Erwood Group like to utilize the BIA phase to gather all key data we can during this time. This allows us to complete in-depth analysis, Financial Impact Analysis, Downtime calculations, and more. It also requires the same amount of effort and time, so collecting additional data during this phase just makes sense.

With that said, some people forgo the BIA entirely. This is not a good idea and is in fact one of the common reasons why business continuity plans fail as mentioned earlier. It’s better to do a rapid and minimalist BIA than to not do one at all.

Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements

Once the BIA is complete this is a time to look for obvious gaps in capabilities, lack of manual processes, and a heavy reliance on specific technologies, groups, or key people.

This is also a time to create a BIA report to share with team members, steering committees, stakeholders, and executives.

Business Continuity Strategies

The development of viable business continuity strategies is an essential part of building your business continuity plan. In fact, I would say it is the keystone required to build an effective plan.

As mentioned earlier you’ll need effective and viable strategies for the following areas:

  1. People
  2. Properties
  3. Processes
  4. Technology
  5. Vendors

Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes

Selecting cost-effective strategies as stated by DRII is important but selecting strategies that are effective and viable are just as if not more important. There are strategies that can be implemented that are in some cases zero or low cost, however, most strategies will incur some or significant costs.

For example, asking people to work from home (WFH) seems like a zero-cost solution, that when implemented thoughtfully and correctly requires at least some expense like laptops and VPN. When compared to the cost of an alternate location though, the cost is significantly less.

I’ll do a follow-up post on developing and selecting effective strategies in another post soon.

Incorporating Steps that support the strategies

Once you have the strategies selected you to need to add actionable steps that align and support those strategies that will be implemented.

These steps should be written in such a manner that would allow other team members or other personnel with the same skill sets to complete the steps should one of the main members of the team become unavailable.

For instance – rather than say we’ll relocate to an alternate location, say we will relocate to 123 location address, City, State, Zip.

Or rather than say we’ll utilize an alternate vendor, state something like the following:

  1. Notify Vendor Name of need
  2. Work with vendor to establish timeframe (to reach need or requirement)
  3. Set or establish communication guidelines
  4. Receive notification from a vendor that processes to support you are online (if needed)
  5. Shift work, personnel, processes, etc. to vendor

Remember, the above is an example, but the more details and steps you have the more smoothly things will fall into place during a crisis. You don’t want someone to have to think through a missing step or requirement that will be needed.

Make certain you list any steps that would need to occur internally as well. Will approval be required to complete a step? Would you need to contact procurement? What about facilities? Lastly, be certain you communicate steps to the incident response team.

Incident Response

Once you complete your Business Continuity Plans, you’ll want to consider how you’ll respond to incidents and develop formal written plans on who is involved and how to respond.

There is quite a bit involved here, and though first responders and emergency responders have a formal set of incident response systems in place, organizations develop their response plans to fit their own internal and perceived needs. Due to this the private sector is literally all over the map on incident response.

I’ll cover a high-level overview of what your Incident Response Should look like in a separate post.

Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority

Some sort of incident response needs to be put into place to manage all the parts of an incident, be it a major disaster, a significant disruption to the business or operations of the business, or even a medical emergency on-site, as well as other potential incidents.

The first step will be to determine who will be on the Incident Response Team (IRT) and what each member’s role and responsibilities will be.

For instance, who will be appointed as an Incident Commander? Does this person have ultimate authority to run the incident, and make recovery decisions? If not, who does? What does that look like?

Do any of your personnel have experience with the Incident Command System (ICS) or Incident Action Planning (IAP)?

If you do not have anyone on your team that has experience in these areas I highly recommend taking the IS-100.C: Introduction to the Incident Command System, ICS 100 training available through FEMA. It is free and all members of your team should take the training.

Additional training is available and should be taken as well through the FEMA National Incident Management System (NIMS) site.

Once you determine who will be on the Incident Response Team and what their roles will be you’ll also need to have an assessment team.

Incident Assessment

You’ll need a team to make initial assessments and ongoing assessments of the situation over time. You’ll also need to develop a formal written process and reporting document to make assessments to provide to the Incident Response Team.

These initial assessments can and should be done quickly by the assessment team. As an example, as a former first responder, we would always do a quick 10-second scene survey upon the first arrival at the scene of an incident. It’s a simple quick look around, what do you see, and what determinations can you make in that initial look?

For instance, if you had to evacuate a facility due to a fire, and it is actively burning and you can see flames and smoke, odds are your facility will be unusable and require repairs. It is possible during a later, secondary or tertiary assessment that it is determined that damage was less extensive and only to a specific portion of your facility and only a section or sections will remain unusable.

For a business organization, you should have someone knowledgeable and capable from facilities and information technology to be on your assessment team. Others may need to be added depending on the business type or industry as well.

Define requirements to develop and implement the entity’s incident response plan

Next, you’ll want to establish requirements for how you’ll develop and implement the incident response plan. When it will be activated, how it will be activated, how members will be notified of an incident, and the activation of the plan.

Over time, your incident will evolve and incorporate lessons learned from other incidents and protocols will be developed for when specific key things occur within your business.

Initially, you need some starting points as to how and when the Incident Response Team should meet. Additionally, they should be able to meet in person, virtually, and by phone or radio as needed.

Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate

At some point, you should exercise and coordinate with outside organizations when possible. At the very least you should have contact information for your local emergency responders, such as your local fire department, police station, office of emergency management, hospitals, utility providers, and more.

Reach out and talk to the local fire and police chiefs and invite them to come to visit your facility.

When an incident occurs, you will have members of your team speaking with and coordinating with these agencies.

You should also have certain information available to present as needed to responders. Some of this additional information could be:

  • Floor plans
  • Location of fire risers and standpipes
  • Location of any hazards or hazardous materials on site
  • Location of shelter in place

Plan Development and Implementation

When it comes time to develop and write your plans there are a few key things to know. First, when it comes to developing business continuity plans, especially for larger enterprise businesses plans should be developed by department or function. If this is not done, the plans tend to contain too much information and become too large, and that’s when people tend not to want to look at them.

That said, they should be filled with any pertinent information required to recover your business processes, instructions for manual workarounds, and other steps required to continue performing those functions.

If you’re a smaller or mid-sized business with fewer functions and processes, you can get away with developing a single plan for all your functions. But I strongly recommend as you grow, and the plan becomes harder to manage and maintain that you break it into small and more manageable department-based plans.

Document plans to be used during an incident that will enable the entity to continue to function

When you create and document your plans, you’ll again want to cover key specific areas that we previously mentioned:

  1. People
  2. Properties
  3. Processes
  4. Technology
  5. Vendors

Each of the above should be a clearly defined section and lay out the previously selected strategies and supporting action steps for each strategy selected.

Traditionally, all plans were written or printed out and put into binders, and given to key personnel to carry with them at all times. This also presents some potential problems. The biggest issue is the size and weight of the document. No one wants to carry large binders around, especially when they have the perception, that they don’t need them today.

Some organizations have resorted to printing and carrying Quick Action Guides that detail initial responses and details of where to locate copies of plans. Others have resorted to paperless electronic versions and have done away with printed copies altogether. Some have resorted to using Business Continuity Software and only store plans within the software.

These solutions are fine but depending on how the documents are stored present other issues.

First and foremost, do not let your technological solution to business continuity become your biggest single point of failure. I have witnessed several clients store their documentation within their business continuity software solution only to be unable to access the documentation later when it’s needed most.

At the very least store the electronic documents in other locations. Create a repository on a shared drive or better yet, use geographically separate locations to store the electronic versions of your plans.

Keep additional copies in your physical Emergency Operations Center (EOC) if you have one. If you have a Virtual EOC (VEOC) make certain the documents are accessible there as well.

Utilize other methods as well such as push notifications, forced saving to a laptop or desktop, etc.

Of course, refer to your organization’s security and other related policies that relate to this.

Awareness and Training Programs

It’s essential to create effective Awareness and Training programs around your overall Business Continuity Program. The awareness and training should start early on by incorporating kick-off meetings that explain at a high level what will be taking place.

This helps to build awareness early on. At each key stage, some training should take place and it doesn’t need to be complex. It can be a simple overview of what will be occurring during the current or next phase.

As an example, as you get to the BIA phase you can have all or some of the participants attend a workshop explaining what you’ll be doing together. Show the participants the document you’ll be using which builds awareness and familiarity. Explain to them the information and data you’ll be looking for.

When it comes time to sit down with the members, you’ll be meeting to complete the BIA it will be easier to obtain the information you’re looking for. At the same time, you will be building on the previous awareness the participants have at each stage.

Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner

Once the plans are established, I find that it is helpful to put informational material together and send it out in the organization’s preferred method. Such as a monthly newsletter, a weekly chat message, a bulletin board, etc.

Some of the messaging could be:

  • Through contests where the first to answer correctly might win a prize
  • Messages about current disasters, and disruptions occurring in the world or to the organization
  • General details about current plan statuses’
  • Nonspecific (or very specific) details about what to do
  • Asking teams to run through a small scenario for 3 – 5 minutes – What would you do if/when?

 

Business Continuity Plan Exercise, Assessment, and Maintenance

Shortly after creating your business continuity plan, a tabletop exercise should be held. As I mentioned earlier in this article this stage is about learning and building additional awareness. You’ll be looking for gaps, additional interdependencies, and weaknesses within the plan.

Overall and over time throughout the remainder of the business continuity program I like to use the Learn, Practice, Implement, Challenge™ methodology I implemented for conducting exercises, assessments, and ongoing maintenance of the plans.

For a deeper dive into the Learn, Practice, Implement, Challenge™ exercise methodology please visit that specific post on the topic.

Establish an exercise, assessment, and maintenance program to maintain a state of readiness

The establishment of a program to exercise, assess, and maintain the plans should be built into the overall business continuity program itself and should be called out and detailed in the business continuity program charter.

Ideally, you should be holding annual exercises at a minimum. Each of these exercises should be progressing through the Learn, Practice, Implement, Challenge™ stage of the exercise methodology. Some plans and teams might need to conduct several stages of practice and implementation of the plans, but the goal should be to achieve a point where teams and plans can be challenged to achieve future success and enhance current strategies.

After each exercise, an assessment should be done (post-incident assessment or after-action review) and clear objectives, outcomes, and lessons learned should be documented.

The plan should then be updated according to the outcomes to make the existing current plans better. The new version should be documented, dated, and signed off on by plan owners and reviewers.

Additionally, a formal process should be documented as to who owns the plans and that person should be responsible for yearly reviews and plan maintenance.  

Ideally, plans should be maintained and updated as changes occur to personnel, processes, technology, and vendors. If done as it happens, they are much easier to maintain over time and less likely to become stale and outdated.

Crisis Communications

Making crisis communications part of your business continuity plan and the program is another essential element to a successful program.

It is much easier to communicate during a crisis rapidly and effectively if you establish crisis communications frameworks and templates ahead of time. Rather than potentially omitting key information or providing incorrect information and making a mistake.

Provide a framework for developing a crisis communications plan

Start with building a framework and team around crisis communication. Select who will be on that team and appoint key spokespeople to make statements internally and externally.

You may need to separate and provide guidelines around internal and external crisis communications as well. Ideally, internal communications will come from key people depending on the situation.

Externally there will be times you want the CEO to make statements and there will be times you do not want the CEO to make a statement. Some businesses may choose to have the CEO always be the public spokesperson, and some may elect to never have the CEO do this. In any case, the spokesperson should have some training.

You will want to establish general information to communicate to employees as to what they should say or how to respond if approached by the media, or anyone else. You also want to send out reminders to employees as needed.

Create templates to communicate to internal and external recipients so that the communication is effective, addresses the key information about an event as needed.

Ensure that each message ends with a date and time the next expected communication is to take place. And, if multiple people are making statements, they remain consistent in the messaging. Ideally, it is best to select one spokesperson and an alternate.

Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties

In addition to the information above make certain that additional updates will be made in a timely manner. In major, rapidly changing events it is normal to provide an hourly update. However, information and situations can evolve rapidly. Sometimes it is best to let the media or others wait on an update (but not for too long) to know that an update will be delayed by ten or fifteen minutes. Optionally, early on it is best to state the next update will be provided in 3 hours or more. Make the cadence of the updates part of your framework.

One important additional item for internal communications. You will experience update requests from managers, frontline workers, stakeholders, customers, etc. as to when you can expect a specific process, technology, application, product, or service will become available again.

I will leave you with these three key points regarding this:

  1. You will not want to repeatedly interrupt the people implementing recovery strategies to ask them when it will become available. Work this into your plans and how this is reported and managed.
  2. Develop a system to provide notification to pertinent individuals when these things become available again.
  3. Always end each official update with a time or date and time as to the next update. Make no other updates until that time.

 

Coordination with External Agencies

Finally, once you have everything else in place, your plans, your incident management team, your crisis communications, and you have practiced a few times you will want to include external agencies when you can in your exercises.

Additionally, you’ll want to make sure that your incident response team is ready to speak to and coordinate with external agencies as well.

Establish policies and procedures to coordinate incident response activities with public entities

Ideally, you can create and incorporate policies and procedures on how to coordinate the incident response with external agencies.

Include policies and procedures on communicating with Fire officials on the scene. You may even want to ask them what their needs will be ahead of time and make certain that information is available on their arrival.

Do police, Paramedics, EMTs, and other first responders know their way around your campus? If not, who will meet them and escort them where they need to go?

How will you coordinate if utility companies need to respond?

Do you know other key agency details and contact information such as hazardous material response teams? Local Office of Emergency Management? Your local Emergency Operations Centers?

So What is Business Continuity Anyway?

Now I hope you learned that business continuity is preparedness for business and you now have the method in which to implement it in your business.