Business Continuity Plans

Everything You Need to Know About Business Continuity Plans

Business Continuity Plans

Chances are if you’re visiting this page, you are new to the concept of Business Continuity Plans (BCPs) and business continuity overall. You may have just been asked if you have business continuity plans by a current or potential customer. Maybe you were asked by your manager or a business owner to create a business continuity plan for the business or department. If this is the case, you’re in the right place to learn everything you need to know about business continuity plans.

If you’re a seasoned professional, stick around and read through the page and I hope you can learn something new. Or, if you feel like something is missing feel free to add your input in the comments below. I’ll also add to this article over time as things change or develop as needed, or as I learn or try something new.

Let’s get started with perhaps the most basic question, what is a business continuity plan?

Definition of Business Continuity Plan

A business continuity plan is best described as the plan you would use if your business were impacted by a disaster or disruption so that you could continue providing goods and services to your customers and clients. I also like to just call it disaster planning for business. I prefer this because I like to keep things as simple as I can. Also, I have a feeling the above definition is most likely the one you will remember best.

For a more complex version of what is a business continuity plan, let’s look at the official definition from the Disaster Recovery Institute International (DRII) Glossary: A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level. NOTE: DRII takes this definition from the Business Continuity Institute BCI and Disaster Recovery Journal DRJ.

Another definition from the Federal Continuity Directive 1 is, Continuity Plan is a documented plan that details how an individual organization will ensure it can continue to perform its essential functions during a wide range of events that can impact normal operations.

While business continuity has been in practice since the 1970s and could be argued that it has been around since the 1950s through strategic planning it is something that is not common knowledge. We’ll get into the history of business continuity in another upcoming article. For now, we’ll just focus on where we are at today.

Today what we are seeing is what I like to call “trickle-down continuity.” What I mean by this is that most large enterprises have business continuity plans in place and they are frequently requiring their vendors and suppliers to have similar plans in place. More specifically, they are requiring suppliers to have plans in place to support the continuing production of the goods and services they supply to them.

For smaller and mid-sized businesses, the first time they even hear the phrase business continuity is often through a request from a current or potential client asking if they have a business continuity plan in place.

As mentioned earlier, most larger enterprise-type businesses not only have business continuity plans in place but entire business continuity programs that manage the entire business continuity lifecycle throughout the business. You can learn more about business continuity and business continuity programs through our recent article what is business continuity?

The business continuity plans are commonly developed around the core business functions and processes that are needed to support the key products and services provided to customers. For small businesses, it is common to have just one all-encompassing plan. For businesses that have multiple departments, multiple products, multiple services, and many moving parts to the business, it is best to have multiple plans for each of these functions.

What Goes into Business Continuity Plans?

As I just mentioned you’ll want to focus the business continuity plans around key business functions and processes. We’ll take a deeper dive into those business functions later, but let’s first focus on what goes into creating effective business continuity plans.

Typically, each business continuity plan contains certain key elements that are considered critical to the business operations. Some businesses include additional information specific to their business or operational area they deem important or even critical to the recovery of the department or function the plan is created around.

One important thing to know is that the Business Continuity Plan should contain all the information required to implement the processes and strategies to perform the business functions contained in the plan. They should also have steps listed supporting the strategies in such a manner that someone of the same skill set should be able to follow them, take the appropriate actions, and complete them.

For the purposes of this article, I will discuss the typical elements that go into creating a business continuity plan and lay them out as they would actually appear within your business continuity plan. If needed, feel free to copy the format and use this as your business continuity plan template.

These key elements are as follows:

  • Cover Page
  • Table of Contents
  • Business Continuity Plan Governance (sometimes omitted if in a Business Continuity Charter)
  • Business Continuity Statement
  • Business Continuity Plan Introduction
    • Purpose
    • Scope
    • Assumptions
    • Plan Activation
    • Roles
  • Business Continuity Planning Committee
  • Plan Revision Tracking and Approval
  • Key Contact Information
    • Internal Contacts
    • External contacts
      • Key Vendor Contact Information
      • Insurance Contact Information
      • Other Key Service Provider Contact information
  • Risk Assessment Key Findings
  • Business Impact Analysis Key Findings
  • Critical Recovery Timelines
  • Crisis Management Levels
  • Crisis Communications
    • Internal & External Communications plans & templates
    • Notification
      • Recovery Team Activation
      • Call tree
    • Status Reporting
    • Status updates
  • Recovery Strategies & Steps
    • People
    • Properties
    • Processes
    • Technology
    • Vendors
  • Annual Exercising & Testing
  • Annual and Ongoing Review and Maintenance
  • Appendices with Supporting Documents, Tracking Logs, and Recovery Forms

The above is not meant to be an exhaustive list, but it is a great place to start with your business continuity plans. To some, the above list is also a bit of what they would call overkill as many of these items mentioned can be placed into crisis management documents.

While it is true that this is a lot of information to include within your business continuity plans, we are also working on the assumption that you do not have any planning done previously.

Let’s look at each area individually.

Cover Page

The business continuity plan cover page contains some key information. This includes the name of the plan, who the plan owner is, the date the document was last updated, and the version number.

All of this information allows you to quickly determine if this is the appropriate plan for the needed business functional area recovery and that it is the correct and most up-to-date version of the business continuity plan. 

Naming conventions usually follow a specific format that aligns with the needs and requirements of the business. Such as the following examples: 

  • Finance Business Continuity Plan
  • Payroll Business Continuity Plan
  • Product Development Business Continuity Plan

Table of Contents

This may seem silly but including a Table of Contents within your business continuity plans is important to finding needed key information quickly in a crisis. Placing colored tabbed pages enables this even further.

Often these documents can grow quite large. Creating clearly defined sections and colorizing those makes it even easier to quickly find the information needed at the moment a disruption occurs. It also allows the main document to be broken up into sections so that the smaller documents can be distributed to teams to run each section. These sections can be created logically such as Operations, Finance, or broken into business recovery areas.

Business Continuity Plan Governance

For businesses that implement an entire business continuity management program, they will usually start by creating a charter that provides the details, framework, and lifecycle around the creation and processes around how the program will be run and how the plans will be created, maintained, and exercised.

For those smaller and mid-sized businesses that do not have a formal business continuity program in place, you’ll either want to create a governance plan or at the very least mention how the plans will be governed and created. Long-term, this should be done as a separate document.

Business Continuity Statement

Each plan should have a brief but informative Business Continuity Statement. These Statements are usually just one or two paragraphs but are never longer than a single page detailing the importance of business continuity to the business or organization. The mention of any alignment to the business mission statement and reasons for having a business continuity plan and program.

Usually, the business continuity statements will also make mention of any customer, regulatory, or other requirements the business is subjected to.

Additionally, it is also common to develop other customer-facing business continuity statements about the state of business continuity within the business and the importance of these plans and programs. Sometimes it will also include a section of Frequently Asked Questions (FAQs) and their answers with information about what to do for inquiring about these programs further. Business continuity statements such as these are often placed on the business website or in a package given to potential and current customers when they ask about your business continuity plans. 

Business Continuity Plan Introduction

The business continuity plan introduction is usually focused on the individual plan itself. It provides the overall high-level information as to the purpose, functions, and processes of what the business continuity plan is for. It may include the number of strategies or key functions the strategies are focused on.

Purpose

The introduction should also include a brief statement on the purpose of the business continuity plan as it pertains to the business and the key department and functions as part of the plan. This should also outline the specific activities of the plan including:

  • Detailing the departments and/or functional areas the plan covers and calling out the specific supporting processes that role up into the function
  • The key purpose – is the capability to restore these departments, functions, and processes to an acceptable level to support the goods and services provided to clients
  • Ensure a consistent and timely response to business disruptions
  • How the business and teams will work to recover these key elements in strategies and steps

Scope

The scope of the business continuity plan usually defines the key areas covered as part of the plan. This also sets the framework that can be applied across a variety of situations, events, disruptions, or disasters as the crisis dictates such as the loss of workspace, workforce, loss of a critical provider, vendor, or loss of technology.

Though some businesses develop plans based on a specific scenario or utilize scenario-based planning contingencies, it is best to set a scope a step above these scenarios. This is also a method similar to that in emergency management as All-Hazard planning.

For instance, rather than planning for a fire impacting the business, it is better to plan for the potential loss of the use of your facility. In the end, planning for and coming up with strategies for the loss of your facility, allows you to have these contingencies in place for a variety of situations that could render your facility unusable for any length of time.

The following are key things to include as part of your scope:

Loss of Workplace:

Loss of a workplace addresses the temporary or permanent unavailability of a primary work facility. Include the primary location of the facility in a manner such as shown

                [City, State] – [Insert Building Address]

Reduction in Workforce:

A reduction in workforce accounts for the temporary unavailability of the primary staff that supports the delivery of a given business process

Loss of vendor:

Loss of vendor services addresses the loss of core critical vendors and suppliers that support business operations

Loss of Technology:

Loss of technology addresses the loss of one or more core critical technologies including, applications, data, data center, and network, hosted and delivered by the Technology Department.

Assumptions

As part of your business continuity plans, you will come up with a core set of assumptions that will be part of your overall planning. These assumptions include parameters around the available services, components of business response, and capabilities, that are required for the business continuity plans to function as designed.

Should these assumptions not be aligned at the time of an event, disruption, or disaster additional modifications to the recovery strategies as outlined within the plan will need to be enhanced, changed, or improved upon.

Below are typical assumptions contained in a business continuity plan:

General Assumptions

  • Public transportation & infrastructure is available, and not disrupted
  • Personnel & team members can travel, as required
  • At a minimum, one identified method of communication is always available including email/instant message, land-line telephones, and cellular telephones
  • Some, experienced & trained personnel familiar with the department’s activities and the Response Procedures are available
  • Civil society infrastructure (e.g., Government, School Systems, Public transportation, Public Communications Networks, Utilities, etc.) may become stressed (short-term delays/disruptions) but will always remain reasonably functional
  • Plans are reviewed and updated upon material change or annually at a minimum

Disruption Specific Assumptions

Loss of Workplace:

  • Only one primary site or location is impacted or disrupted at any time
  • The length of the Workplace disruption may exceed 30 days in duration
  • Alternate sites & locations are not impacted and are available for recovery use
  • Any information/records/inventory/etc. not stored offsite will be inaccessible or destroyed
  • Specialized/unique equipment at the Workplace may be destroyed/damaged/unavailable
  • Remote access capabilities (VPN) can accommodate large-scale remote access of displaced employees either in a remote or relocated fashion
  • Ample physical workspace is available and geographically distributed footprint to accommodate critical/essential employees requiring physical workspace for an unspecified period

Reduction in Workforce:

  • Up to 50% of normal staff may be unavailable for 4-6 weeks
  • Other local and remote locations may suffer staff shortages concurrently
  • Key personnel may be unavailable/impacted (single-points-of-failure)
  • Standard Operating or Desktop procedures for the daily performance of business operations are documented, available, and managed by the owning business process department

Loss of Vendor:

  • Only one critical provider (e.g., vendor/provider/supplier/dependency) is unavailable at any given time
  • Providers will be able to re-establish services within their contractually stated SLAs as agreed upon and implemented between the business and its third-party vendors and suppliers

Loss of Technology:

  • Application restoration (Recovery Time Objectives and Recovery Point Objectives) and the overall Information Technology recovery timeline are estimated and actual RTO/RPO values are estimated
  • Business Continuity Planning will be for the loss/unavailability of an individual or single applications
  • Estimated workaround procedures, capabilities, and timeframes may change significantly due to a multi-application disruption scenario.

 

Business Functions

One of the key things to include as part of the scope is which key business functions to include as part of the business continuity plan. These should be core critical functions that are directly tied to providing core goods and services to customers that produce revenue or are tied and interdependent to revenue-producing activities.

You’ll also want to account for service level agreements (SLAs), regulatory requirements, reputational impacts on the business, and perhaps more. 

Plan Activation

You will want to place language within the plan that describes who, when, and what specific events and situations will cause the Business Continuity Plans to be invoked if you know them. Alternatively, especially among immature business continuity programs, crisis teams are activated and plans are invoked only after assessments confirm the need to start business continuity processes.

In other businesses that have more mature business continuity programs, you will often find pre-defined protocols for when to implement the business continuity plans. Some managers have authority and experience as to when to invoke all or parts of a business continuity plan. These are usually implemented over time based on previous experiences that led to situations where partial or full plans had to be invoked. An example of this would be the impact on a business supply chain or supplier and some of these processes need to be shifted quickly. 

Roles

You will need to include roles and responsibilities within your plans. Such roles should include Business Continuity Plan Owner and one alternate as well as team members responsible for implementing the BCP Procedures and strategies listed within the business continuity plans.

Responsibilities

Additionally, include clear responsibilities for each member of the Business Continuity Plans. Business Continuity Plan Owners are generally responsible for coordinating the team members and managing the invocation of the BCP. Though, they may also have to be the primary person implementing the plan if needed.

The team members are usually involved with performing the procedures in implementing the BCP as required. Any alternates are responsible for filling the roles where the primary person is unavailable.

Business Continuity Planning Committee

This is another element that is often covered in a business continuity charter document. However, again, small and mid-sized businesses may opt to include this information within their plans to address the lack of a formal charter. It simply outlines the purpose of the committee and the people on the committee. If the business is small enough, the committee may be the people involved in the plans themselves. 

As you select your committee make certain you choose someone to chair the committee and a Candance of how often the committee will meet.  

Plan Revision Tracking and Approval

A key element of any business continuity plan is to include plan revision tracking as well as the approval status and the current version of the plan is in.

This provides document control and ensures that when the plan is needed for use, those participants are utilizing the correct version of the plan. It also provides evidence of improvement over the course of time.

A Typical plan revision tracking looks something like the following:

Business Continuity Plan Revision Tracking
Business Continuity Plan Revision Tracking

Some plans will have a separate section for approvals like the below:

Business Continuity Plan Approval Tracking
Business Continuity Plan Approval Tracking

Additionally, the cover page of the plan will often have the version number as well. Long-term tracking is usually done in the appendix area of the document.

Key Contact Information

Every business continuity plan should contain key contact information for various areas. The most important contact information that should be in the business continuity plan is for the plan participants. These should be plan owners, functional area and process owners, and key people that will implement the business continuity plans upon invocation.

Be sure to include not just work email and phone numbers for these people but be certain to also include personal email and phone numbers so that these team members can be contacted during an emergency that may occur outside business hours.

Other key contact information should include the following:

Internal Contacts

Other additional internal key contacts should be included that are pertinent to the viability of the plan. Such as Incident Response Team members and their contact information. Other internal contact information may include other teams as well.

External contacts

You’ll want to include important external contact information. Some of this information can be broken into separate sections such as critical customers, critical vendors, and service providers, or placed on a single page if it fits.

You’ll certainly want to include contact information for the following:

  • Facility Management Provider/Building Owner
  • Utility Providers
  • Key Contractors – Electrical, Plumbing, cleaning, Locksmith, etc.
  • Internet and Telcom Providers
  • Legal
  • Insurance
  • Local Emergency Numbers beyond 911
  • Local hospital numbers
  • Local Emergency Management Office Numbers – EOC
  • Restoration Cleanup providers
  • Document Recovery and Salvage providers

The above is not meant to be an exhaustive list but a starting point. You’ll want to add external contacts based on your own business needs and concerns.

Risk Assessment

A Risk Assessment (RA) is often one of the first things you’ll do after the initial business continuity program creation. You’ll want to include key findings from any risk assessments that were performed. You do not need to include everything or go into deep detail about the risks the business faces. Keep it a high-level overview, and perhaps a direct list of the top 3 -5 risks but I would not go beyond the top ten risks the business is facing.

Business Impact Assessment

The business impact Assessment or more commonly referred to as the Business Impact Analysis (BIA) is the method for assessing the impact various events will have on the business. You will also want to document that the business has conducted a business impact analysis (BIA) within the business continuity plan. Again, there is no need to document this in fine detail. Just the high-level key findings discussing the greatest potential impacts to the business, the potential monetary and operational impacts, and how you might respond in a high-level way.

Critical Recovery Timelines

Sample Business Continuity Recovery Timeline
Sample Business Continuity Recovery Timeline

You will want to lay out any critical recovery timelines that are key to the portion of the business continuity plan. You’ll want to include your Recovery Time Objectives (RTOs) for each process and the Maximum Allowable Downtime (MAD) for the function.

The below image is a sample Recovery Timeline Chart. It lays out each stage of the recovery process and is put into a timeline format so that a business can gauge where they are at in the process and how long it may be estimated to last.

The timeline is not a set-in-stone timeline, but an approximation based on things that usually happen during the recovery phases.

 

Crisis Management Levels

In many cases, a business continuity plan will also set different crisis management classification levels. Though again, more often placed within Crisis Management documents, some plans include a variation on specific levels of a crisis.

For example, a level one or L-1 could be a crisis or incident in which a facility has sustained damage, but it is minimal and contained within a specific area. The building can be entered but might be closed for up to 5 days or one business week for repairs. On the other hand, a level four or L-4 can mean major damage to the facility. The building is incapable of being occupied and repairs could take a month or longer. Delays in getting permission to enter the building to conduct repairs started are possible.

Ultimately how and what you decide to call out different levels of crisis or sustained damage will be up to you. Creating a defined set of criteria for this beforehand makes it easy to determine what level you will likely be at and works in conjunction with your recovery timeline to gauge how long your business could be disrupted. It also saves you significant time during the crisis trying to figure out how long the disruption and recovery might take.

Crisis Communications

Another key component to include within your business continuity plan is a crisis communications plan. This should primarily be centered around how and when to contact the key specific team members needed to enact the business continuity plan elements during an invocation.

As mentioned previously, key contact information should be included within the business continuity plan so that you don’t have to go hunting for that contact information when it is needed most.

The crisis communication part of the business continuity plan should include who to contact or how initial communications during an incident or crisis should be made. This includes notification and activation of any crisis management team, the business continuity team members, management, and or key specific employees.

Notifications

Notification of staff, management, and crisis teams is essential during an event or crisis. The quick this is done, the better the response and outcome you’ll likely have.

It is best to set up predefined steps and systems to provide these notifications ahead of time. It can be done through a third-party notification system, through email, by phone, or any other method or combination of methods you choose.

One common method still used today is using a call tree to have designated people call specific recipients. If you have a recovery team, crisis management team, or incident management team (or other terms of your choosing) they should be one of the first groups to get notified.

Call Tree

Business Continuity Call Tree
Business Continuity Call Tree

A major element of this should also include a Call Tree element of who is supposed to contact whom. The call tree is usually utilized in making initial notifications of an event. It doesn’t need to be complex but should be clearly defined. An example call tree is shown below.  

Communication Templates

As part of your Crisis Communications, you will want to develop crisis communication templates to utilize during an incident, crisis, or disaster. You should have two sets of templates created. One for internal communications and another set for external communications.

It’s best to create some predefined templates with a fill-in-the-blank format so that they can be created quickly, and efficiently so that people aren’t scrambling for what to say during a crisis.

Internal Communications

For internal communications, you’ll want to have key specific messages sent or provided to employees. Some key quick messages that should be ready are:

  • Notifications to staff on staying home, working remotely, or reporting to an alternate location
  • Notifications to stand-by, and/or wait for further instructions
  • Notifications to call specific phone numbers, at specific times for additional information and instructions

External Communications

As for internal communications you’ll want to have clearly defined external communications ready for several different recipients. For example, you’ll want to communicate one message to your customers if needed as to what happened, how long you expect to be disrupted if you have disruptions, what you are doing specifically to continue to provide goods and services, and how long you expect to be operating at this level if known and any contact information where they can call in for additional information, or better yet when the next update can be expected.

You’ll also want to develop messaging for your vendors and a third set of communications to provide to the media and for public consumption.

Picking a Spokesperson

You’ll also want to pick a spokesperson or Public Information Officer (PIO) especially if you need someone to talk directly to the media. While most businesses make their own choices as to whom the spokesperson will be, we recommend that the person chosen should have some type of media training.  

Status Reporting and Updates

As part of your crisis communications, you should have a system set up for receiving incoming status updates as well as reporting out status and situation reporting. Typically, this is done hourly, but your crisis response team should set the tone and pace for outgoing updates.

In setting the tone and pace be certain to end each update with a specific time as to when the next status report update will occur.

For more on managing a crisis please see our article on Crisis Management Response and Teams that we will be posting soon.

Recovery Strategies & Steps

The development, creation, and inclusion of recovery strategies and their supporting steps is a key fundamental element of your business continuity plans.

Without them both your business continuity plans will be lacking the necessary steps to implement the required processes to provide minimally acceptable functions to provide a continuation of goods ad services to customers.

In fact, one of the reasons why business continuity plans fail is the lack of viable strategies backed by actionable steps.

As we mentioned earlier, it is best to create strategies around certain key specific areas, rather than specific scenarios. The more strategies for each area that you have the greater the likelihood that you will be successful in your ability to execute and continue your business operations.

Here are those key Areas:

People

When creating strategies for your personnel you should start by thinking in terms of sudden and severe staffing shortages. Some questions to consider are:

  1. What is the minimum number of people required to run or implement a function or process?
  2. Do we have cross-trained people that can backfill or shift to cover that function or process?
  3. Does moving personnel to cover a function or process leave another function short or incapable of being completed?
  4. Can personnel on shifts work longer or different shifts without impacting output or capacity?
  5. Can this function or process be completed easily by temporary workers?
  6. Do we need to hire new workers?
  7. How long will it take to train new or temporary hires?

Of course, the above doesn’t account for every situation. I have clients that operate globally, and they have plans to send key staff to other geographic locations in situations where personnel need training. Strategies such as this require additional elements and planning steps. For instance, could a person easily enter the destination country? How long can they stay? What other logistical considerations are required? All these things should be thought out beforehand.

Each strategy selected should be put into place in the order of preference or order they should be completed. If there is no specific order of preference for the strategies, they can still be numbered to track the various options you have available to you. Here is an example:

Strategy 1 – Utilize Existing Staff to Backfill

Strategy 2 – Hire Temporary Staff

Strategy 3 – Hire New Workforce

Steps

Each strategy should have clearly defined ordered steps that should be taken once a strategy is to be implemented. Let’s look at the above Strategies and Call out steps to complete each.

Sample Business Continuity People Recovery Strategies
Sample Business Continuity People Recovery Strategies

Again, the above is not meant to be all encompassing but to provide you an idea as to what is required to support each step. The more specific you can make it the better it will be. For instance, instead of saying call temp agency to increase staffing levels, call them out by name, like this – Call XYZ Staffing Agency at (123) 456-7890. If you have a key contact or account manager there, you can even include, ask for Betty or Steve. The more specific you make it for your business, the better, smoother, quicker, and more efficient your recovery operations will go.

Property

Most businesses will just be concerned about facilities in this section. While that is the key focus here, I also utilize this section for critical and key assets and equipment as well. In this case we break them into their respective sections and have one for each – Facilities, Equipment, and Assets.

In one case, a client we had many years ago was an original equipment manufacturer in the high-tech industry. One of their key pieces of equipment was a million-dollar scanner and had a long lead time. The business had only one of these at the time we were developing their business continuity plans.

The main strategy was to relocate the equipment from the main facility to an alternate facility across the globe by moving it and flying it to an overseas facility until they could acquire an additional one.

Just like in the section for People, Property should lay out each strategy and the supporting steps. Let’s look at some examples for the loss of your facility:

Strategy 1 – Have Staff work Remotely

Strategy 2 – Utilize Space at Vendor Location

Strategy 3 – Utilize Alternate Location

Strategy 4 – Acquire a New Location

Steps

Again, each strategy should have clearly defined and ordered steps to take for each strategy called out.

Sample Business Continuity Facility Recovery Strategies
Sample Business Continuity Facility Recovery Strategies

Follow the same steps above for each additional critical asset or piece of critical equipment for the function or process.

Process

For each process that this department or function requires document the strategy and steps that will be implemented to complete them.

Let’s look at a few examples of how some businesses handle strategies to implement processes and tasks outside their normal methods.

Strategy 1 – Utilize Alternate Method – Spreadsheet  

Strategy 2 – Utilize Alternate Method – Notify Bank to Utilize Previous Weeks Payroll

Strategy 3 – Utilize Alternate Method – Use Phone to Take Customer Orders

Sample Business Continuity Process Recovery Strategy
Sample Business Continuity Process Recovery Strategy

Again, the above is meant to be an example, but taken from real responses. You’ll have to work out what is best for your own situation and business. Also make certain that the supporting steps are able to be carried out by your team.

Technology

The technology section usually covers core critical applications that play a functional role in providing or supporting critical processes. For instance, Salesforce, SAP, NetSuite, and other such applications.

Here are some examples:

Strategy 1 – Wait

Strategy 2 – Utilize Alternate Application  

Strategy 3 – Utilize Alternate Method – Spreadsheet

Sample Business Continuity Technology Recovery Strategy
Sample Business Continuity Technology Recovery Strategy

Vendor

It is best to utilize multiple vendors whenever possible. It is just as important to source secondary and tertiary vendors prior to an incident occurring. Yet, many businesses continue to utilize source at time of incident, I highly recommend you do not wait for an incident to occur.

Whether your vendor supplies a product or a service, you do not want to rely on one vendor and have them be impacted by an incident and stop suddenly serving you.

There are vendors that are the only ones that provide key products or services. Some of these single source vendors have a long lead time as well for obtaining new product. If this is the case, try to anticipate future needs and acquire or purchase the equipment or product before you need it. In many cases barring a disaster you should be able to accurately forecast for your future needs.

Equipment and Asset Location

Any team that requires critical equipment or assets to complete a function or process should know the specifics about these key items including, where they are stored, and what vendors they are associated with.

For instance, facilities should be able to locate and shut off, power to the building, main water shut-off valve, main gas shut-off valve, HVAC power cutoff, Sprinkler system shut off valve, etc.

You may have a key locker, decontamination equipment, laboratory equipment, laser cutters, CNC machines, key records, and documents, etc.

The location, key numbers, serial numbers, vendor, replacement cost, etc. should all be documented.

Annual Exercising & Testing

I generally do not like to use the term testing as some feel it has negative connotations. However, it is also a widely used and accepted term as is exercising. The main reason I avoid the term testing is that it causes some people unneeded and unnecessary anxiety. There is no need to make people feel like they are being placed under a microscope and examined.

With all of that said, annual exercising of business continuity plans should be the minimum number of times the plan is exercised or put into practice. Some, businesses will exercise some plans twice per year. Others struggle to meet the minimum requirements, and those businesses tend to run into trouble for several reasons.

 First, if the plan is not being exercised yearly at a minimum, it is not likely being maintained or updated either. As the yearly exercise usually provides insight into needed changes to the business continuity plans.

Second, the more time that goes by without exercising, the less practice teams have in implementing the plan, and the more outdated it becomes.

When it comes to exercises, I developed an easy to implement and follow methodology called Learn, Practice, Implement, Challenge™.

This methodology has generated a lot of success among our clients and provides a clear definitive process of progressing through the maturity levels of both a business continuity exercise program, but to the overall business continuity program as well.

You can learn more about our proprietary exercise methodology Learn, Practice, Implement, Challenge™ here.

One additional thing we provide to our clients is an exercise scenario booklet that they can utilize to conduct quick exercises and discussion around impacts, recovery strategies, and more. These are designed for teams to add a 3–5-minute discussion around their planning during scheduled team meetings.

This also provides these teams with an edge and the ability to exercise on a small scale more frequently without being disruptive to normal business operations or requiring many resources.  

For overall exercising of your business continuity plans It is best to set at minimum a yearly schedule at the outset of the program or planning initiation. Once the business continuity plans are at the end of their initial completion a tabletop walkthrough of the plan should be done.

I’ll be doing an upcoming article to provide more information and a deeper dive into conducting exercises soon.

In the meantime, please check the following articles on the Erwood Group Blog.

Why We Exercise Part 1 of 2 and Why We Exercise Part 2 of 2

Annual Review and Maintenance

Each business continuity plan should be reviewed and updated annually to ensure it is maintained in perpetuity. Ideally, each plan will be updated as key changes to personnel, processes, technology, and other changes occur.

If done in this manner, an annual review will be easily done with a quick once over, a brief exercise, and updated per key findings that come out of post exercise debriefings.   

It is important to note here that another key reason for business continuity plan failure occurs when the plan is not dutifully maintained and becomes out of date. Usually when this happens, it is no longer about updating the plan but creating a new one beginning the process over again.  

Appendices with Supporting Documents, Tracking Logs, and Recovery Forms

The appendix is where you will want to keep key documents needed as part of the recovery process. This includes Vendor lists with contact information, tracking logs, and recovery forms.

Some Additional Information on Business Continuity

The below is some additional information about some key terminology used within the business continuity, contingency planning and disaster recovery industry.

Continuity

If you need more information about business continuity, take a look at our recent article What is Business Continuity and don’t miss our whitepaper on the Importance of Business Continuity too.  

BCP and BCP Meaning

The Business Continuity Plan, commonly referred to as a BCP in the business continuity planners within the contingency planning industry is an important document or series of documents utilized to recovery core business functions so that you can continue to provide goods and services to your customers at an acceptable level.

What is a Business Continuity Planner?

A business continuity planner is more of a loose phrase that also covers business continuity manager, business continuity analyst, contingency planner and many other such positions. A business Continuity Planner is the person who works within a business to organize, coordinate, develop, and create business continuity plans and programs. They are also charged with overseeing the future ongoing processes lifecycle, maintenance and improvement of the business continuity plans and programs.  

Business Continuity and Disaster Recovery

There are many that speak of Business Continuity and Disaster Recovery interchangeably. However, the truth is they are more nuanced than that. Business Continuity really refers to the overall business functions and processes and keeping the business operations running while Disaster Recovery (DR) is really Information Technology specific. It is also referred to as ITDR. The ITDR focuses on applications, data, network infrastructure, data centers and all things IT related.

BCP vs DRP

Well, this is a bit more complex, as some vendors and providers like to spin or develop their own language around what is and isn’t something is.

Let’s set the record Straight

BCP

As previously mentioned, we stated clearly what a BCP is. It is focused on continuing the business operations at an acceptable level. It is not just a risk assessment or business impact analysis as those are separate documents. The RAs and BIAs are only just briefly mentioned within the Business Continuity Plans. Check our definitions at the top of the article if you’re still not sure what a Business Continuity Plan is.

DRP

Some providers in the technology space are stating that the DRP or Disaster Recovery Plan is the plan that is required to recover the business functions and processes. This is incorrect and can cause confusion. The Disaster Recovery Plan (DRP) also known as Disaster Recovery (DR) or Information Technology Disaster Recovery (ITDR) as mentioned above are intended to be technology specific. It’s easy enough to get confused as people often use many of these terms interchangeably without providers adding to the confusion.

What Business Continuity Is Not

Another area of confusion created by some providers is that some of them sell appliances in hardware software, cloud-based, and other hybrid models as providing business continuity. While some of these appliances do assist with disaster recovery and some with business continuity to a specific area, there is no one single or multiple devices or appliances that provide real and complete business continuity to a business.

BCP Reporting

Business Continuity Plan Reporting is usually done at a rate the best applies to the business needs. Many will run monthly or quarterly reports as to the status of plans, exercises, and updates and yearly reviews. Most will perform this task yearly when annual reviews are due for accountability purposes.

Risk Assessment Reporting

Risk assessment reporting is usually done by an internal risk management team and reporting generally is reserved for executive management who are the primary target audience. Sometimes this is done quarterly. I recommend that if done infrequently businesses stay abreast and aware of emerging risks either internally or externally.

You can do this by subscribing to the Erwood Groups Annual Emerging Threat Report or through our weekly View 360 Report. Subscribe to both and stay up to date on all current and emerging risks that may impact your business.

Business Impact Analysis Reporting

Business Impact Analysis reports are presented to executives and business continuity program sponsors and stakeholders to provide both high-level and fine details of the current impacts the business faces. These are often done every three years or when BIAs are conducted.

Financial Impact Analysis

The Erwood Group specializes in and has developed proprietary tools to conduct Financial Impact Analysis for businesses along with our BIAs. This allows businesses to set better strategies and Recovery Time Objectives that are backed financially and provide a more effective cost-benefit analysis of the business recovery strategies.

Recovery Time Objective

The Recovery Point Objective (RTO) is a key finding that sets the timeframe from the declaration of an incident until the recovery of a business function or process.

Recovery Point Objective

The Recovery Point Objective (RPO) sets the amount of data in a specified period that a business can lose. For example, a four-hour RPO sets the acceptable loss of data at 4 hours.

Maximum Allowable Downtime

Maximum Allowable Downtime (MAD) is the maximum amount of time the business can have a function or process that is unavailable. It is usually the least common denominator, or the shortest RTO defined in the processes for that function. For example, if a business function has process 1 with an RTO of eight hours but process 2 at four hours the MAD would be 4 hours.

BCP Software

There are numerous companies and providers of BCP software available on the market. I have used nearly all of them in supporting various clients. The most common question is which is the best?

This really depends more on the business needs, the cost of the software over the life of the program, and the ease of using the software.

Generally, they all do the same thing. Assist you in creating, managing, and storing your business continuity plans.

They also present their own problems. Using software, it is easy to just go through it and select check boxes and move through the process without deeper expansion.

In many cases, it also presents a single point of failure as most businesses will only keep their business continuity plans within the software being used. I have seen this fail many times. Don’t allow your business continuity software to become your single point of failure.

In conclusion, I hope that this information is enough to get you started on building your business or organization’s business continuity plans.

If you still have questions or need additional help, please schedule a consultation and we’ll be happy to assist you.

Learn Practice Implement Challenge

 

Here at the Erwood Group, we’ve created a new exercise methodology. A new paradigm for the way a business exercises, trains, and prepares for a crisis. It is called Learn, Practice, Implement, Challenge™ – The new exercise methodology to Increase Your business endurance. 

I’m sure you’ve heard the phrase “crawl, walk, run” before, right?

Now, go ahead and tell me what you mean by that exactly, and I bet you’ll have some trouble.

“Crawl, walk, run”is a phrase I commonly hear especially around exercises. It’s a phrase that I hate. It’s just too vague, overly simplified, and completely nondescriptive, leaving out key details about just how we are supposed to progress through to something bigger and better. Can you tell me what you’re supposed to be trying to achieve?

Of course, you can’t.

That’s why many years ago I came up with the phrase Learn, Practice, Implement, Challenge™ which provides not only the descriptive details but the overarching goal of what we’re trying to accomplish with each stage of our exercise progression.

First and foremost, we have our Learning stage:

Learn

Sounds simple enough. At this stage, we teach our new plan owners and participants what they should be doing. Learning. It is designed to get everyone in the same place. As a team. They learn they have a plan, what is in the plan, where to find the plan, how to update and maintain the plan (and who is responsible for that maintenance), and we go through the plan, especially the strategy section and steps based on the strategies.

At this point we walk the participants through each strategy, asking questions about the strategy validity, any potential for this not to work, dependencies required for the strategy to work, and any additional strategies or sub-strategies we can add.

Next, we walk through each step required to implement the strategies. Making sure details needed are captured and not left too vague makes the information impractical at best and unimplementable during a crisis at worst. For instance, if a recovery strategy calls out the reliance on a secondary vendor that vendor should be called out by name. And then tertiary vendors and so on. Think in terms of, if someone else other than my main team members had to implement this plan, what information would they need? 

At the end of this exercise, we still conduct an after-action review and collect all the appropriate data such as lessons learned, what went well, what worked, what didn’t and how can we improve. We’ll also ask if they would like to add any additional input and what kinds of other disruptive events have, they experienced in the past. All of this is done to create familiarity and training for future exercises as well. The entire process is about having the participants learn new skills and improving their current existing plans. 

Once these learning stage exercises are conducted and the plans updated to reflect the exercise outcomes and additional strategies the work begins to set up the next round of future exercises for the practice stage.

Practice

Usually taking place about a year after the learning stage, the practice phase starts to get a little bit more intense. Still, in a tabletop setting in most cases, the participants are expected to know how to access their business continuity plans, how to access information within the plan, and how to walk through the steps to invoke the plan successfully. This is usually done and presented as part of a scenario impacting the business and forcing the plans to be activated.

At this practice stage, the idea isn’t to do anything too hard but to present the exercise, have the team attempt to achieve a predetermined set of goals, and even guide them into the next steps through a series of questions or injects. They may do so exceedingly well or may fail and learn a series of lessons. The idea though is to allow them to practice their plan in a controlled environment where they can feel safe and make mistakes. But not to push them to the brink where it becomes a stressful overwhelming event where they learn nothing and feel defeated.

In some cases, it may be necessary to hold several practice sessions with the team before moving on to the next stage of maturity in the exercise progression. Perhaps twice a year or more. More on this later in another post. 

The point is some teams will need to practice a few times before their comfort and confidence levels allow them to move onto the implementation stage. As with the learning stage, we hold an after-action review session immediately following each exercise.

Implement

Next, will be to implement the plans during an exercise. Here we start with what is the overall purpose of the exercise, as in, what are we exercising? Are we testing the ability to send notifications? Implement strategies? Can the steps be followed that are needed to initiate and complete the strategy? Can vendors be notified and coordinated with? Can customers be notified and coordinated with as expected? Can key personnel go to and work from an alternate location or remotely?

For all these implementations and more, are they successful? Did they fail? If so, why? Can the cause of the failure be easily determined? What worked well? What didn’t? Where is there room for improvement? How were internal communications? Were there errors? What were they? Did we use alternate applications to access information? How did that go? Are we tracking things manually? Did it work effectively? Where are there stumbling blocks and bottlenecks?

So, to summarize this section, Implementation exercises are exactly that, implementation of parts of the plan such as a select strategy, communications internally or externally, notifications to team members or other teams, or the implementation of the whole or parts of the plan that would be needed to fit the scenario.

Once teams have had the opportunity to implement their plans, we will start to Challenge them.

Challenge

The challenge phase is exactly what it sounds like, we create a scenario or series of scenarios that begin to challenge the plan owners and participants. This is done to expand the teams’ capabilities, build massive confidence, and the capability to learn and improvise based on what they know and the strategies available to them within the plan.

This challenge phase is never done with the idea of forcing the team to the brink and forcing failure, but to provide a safe learning environment to expand their capabilities. In other words, don’t make it so impossible that they do fail, but challenging enough that it forces them to think, act, and improve upon what is there so they can be ready for real incidents should they arise. Put another way, the challenge level exercises should elevate the team involved and make them better for participating in the exercise.

I’ve seen some exercise designers and facilitators develop exercises where they knock-off (kill) many or all key personnel, make it impossible to contact vendors, and inject failure at every turn. Not that some of these things can’t happen. They do. But the idea is to provide a positive learning experience for the people involved.

If they aren’t learning at every stage or phase along the way and are just placed in a stressful situation where failure is the only or main outcome, they will walk away unhappy, discouraged, with less confidence, and less likely to look forward to or participate in another exercise.

In fact, if this has been the case, you may need to reinitiate the exercises at the learn or practice phase level again just to build up your team. 

So, get out there, and Learn, Practice, Implement, and Challenge your business continuity, disaster recovery, and crisis management teams.

As part of our challenge phase as businesses mature in the exercise phase to improve their preparedness, we offer world-class training and exercise to take their endurance to the next level. We have partnered with an academy award-winning special effects team to create real-world events and scenarios in a safe and controlled environment.

 

Keith Erwood is the COO, Co-Founder, and Principal Managing Consultant of the Erwood Group. The Erwood Group focuses on business preparedness, business continuity, disaster recovery, and crisis management. We create enduring businesses that Prepare, Prevent, Profit through planning, mitigation and exercising. #Endurance>Resilience

Are You Up to the Challenge?

 

Introducing the View 360 Report

The View 360 Report is our weekly subscriber-only Business Intelligence Report. Designed to provide the reader with Situational awareness of emerging threats that could impact their business and personal lives. Unlike other reports that just bring you the potential threats and risks, we provide direct actionable measures to mitigate the impact to your business and life.

View 360 is also designed to supplement our yearly Emerging Threat Report (sold separately) published in January of each year.

The contents of each View 360 Report are sent out to subscribers each week in an easy-to-read PDF text-based format. It includes a Situation Awareness Points Overview where we highlight each threat in bullet point form, below that we go through each bullet point highlighting the details of the threat including our opinion on the topic and what to expect, along with an occasional deeper insight providing additional comments, then finally actionable measures where we provide details on mitigations that can be implemented. Then we provide a Cyber Event update on cyber events that have occurred since the last View 360 Report. Next, we bring you information surrounding planned protests around the United States detailing the cause, the place and time the event is happening and the latest intelligence on how many are planning to attend or how many are interested in the protest. Finally, we bring you our weather outlook for the week.

We have also started a private Facebook-based group for subscribers only where we can provide additional updates on key events daily as well as host discussions.

Currently, subscribers can try the View 360 Report for free for 14 days and then will be charged $49 per month thereafter. You can subscribe directly to the View 360 Report here. Cancel at any time.

Grab a free sample copy of a previous View 360 report and be sure to subscribe so you don’t miss any emerging threats in the future.  

 

 

Yesterday, I shared some Golden Nuggets on the benefits of exercising your Crisis Teams and why we exercise. Today, I am going a little deeper on another major hidden and often overlooked benefit that exercises create.

Confidence.

Whether this is for Crisis Teams, Incident Management teams (or whatever you like to call your team), Business Continuity Teams, and especially Information Technology Disaster Recovery (ITDR) teams. Frequent, repeated exercises build confidence.

Confidence among the team(s) themselves, confidence in managers and executives of the business, and confidence from your customers and business partners. The most important place to build this confidence is among the teams that are doing the recovery work.  

As you might expect, a lack of conducting exercises among your teams has the opposite effect. It can cause your team to break down and literally destroys their confidence, which also negatively impacts recovery times and overall recovery.

Let me provide some deeper insight by using an example from some previous work I did.

Several years ago, I was consulting for a major airline assisting some of the IT teams to develop Disaster Recovery Plans, getting them to move beyond tabletop walkthroughs and doing “functional” exercises, as well as documenting the exercise to get credit during an audit.

It is important for me to state here that this was a project based on an internal audit outcome. I was working with the bottom performers on remediation based on that audit. These were groups that either:

  • Had zero plans in place
  • Never conducted an ITDR exercise beyond a tabletop walkthrough
  • Conducted a functional exercise but didn’t document it properly and received no credit for doing the exercise

I want to talk about a particular group within that project that I worked with and why they never conducted anything more than a tabletop walkthrough, and why they lacked confidence and were afraid to even think of doing anything functional.

During my first meeting with this group, I specifically asked the simple question:

Why haven’t you done a functional failover exercise in the past?

The reply may come as a surprise to many of you but didn’t surprise me at all. The response they provided to me was that they weren’t allowed to do anything beyond a tabletop walkthrough.

My follow-up question to them was, who said that they were not allowed to conduct a functional exercise?

The Response: “The Business” (specifically operations).

After some discussion, I learned that the “business side” in the operations leadership felt that the systems and application were too critical to do a functional failover exercise while the application was running in production.

However, the systems and application weren’t deemed or signed off as an application that was too critical to for such an exercise. Yet, every time the team submitted a request to conduct a functional failover exercise operations would reject it and say it was too critical.

Normally, with a set of systems and or applications that the business deems too critical to complete these failover exercises they elevate them as such, and the business signs off on it as well as accepting the risk of not having these exercises done.

Not really the best decision as there are ways to do these exercises even while in production. But that is not the purpose of this story.

You see, this team not only lost confidence but felt a distrust in their capabilities from business leadership. So much so. that after working with them in both the development of a runbook and tabletop walkthrough that when I proposed having them submit permission to conduct a functional failover exercise, I was told, “there’s no point, they’ll never sign off on it.”

I told them, let me worry about that, you just pick a date and submit the request.

Behind the scenes, I was working with my engagement manager to either get the business to approve the request, or bump the criticality up to properly accept the risk, and sign off on it.

We got the approval.

Over the next 30 days, I worked with that team on their runbook to ensure that every step was in there and that they knew how to properly document and track the failover exercise, including backout procedures.

When the day of the exercise came, they performed wonderfully and did everything right.

They hit a glitch late into the exercise and couldn’t do a 100% successful failover. But did achieve the following:

  • They learned a lot. They ran into several issues during the exercise and were able to overcome them and move forward
  • They properly documented what they were doing. Conducting log capture, taking screenshots of before and after states, taking notes as they moved through the process for later use
  • Completed an after-action and discussed lessons learned, things that went wrong, and things that went well

All of this, even though the outcome wasn’t a successful failover during the exercise. They learned immensely during the exercise. They learned they could depend on one another to complete their assigned tasks. And the business learned they could trust the team to do the failover exercise, without disrupting the production environment.

The most important part. They were happy as a team and gained massive confidence in their own capabilities. This allowed them to continue to conduct exercises, gain further confidence and learn new skills.

In the end, a successful exercise isn’t always about a successful failover or other such success. In fact, you can learn a great deal when you fail. And when you learn and build the lessons into your plans, that is when the real success comes.

That, and the confidence you gain will boost you and your team during the next exercise or incident.

So. Get out there. Exercise and build confidence in yourself and your team.

 

The reasons why we exercise are often varied yet sometimes misunderstood by many. Below I will share some of the many reasons why we exercise and perhaps you’ll gain some insights into Why We Exercise.

Let me let you in on a little secret – A Golden Nugget – even the professionals make mistakes.

This is at all levels, in all industries, it even holds true in sports.

But what I am talking about specifically here are first responders and emergency managers. We all make mistakes.

Why am I telling you this? Perspective!

First Responders and Emergency Managers consistently drill, practice, and run exercises regularly. Yet they still make mistakes. They also have great outcomes, but they do make mistakes.

After each exercise, drill, or real incident they hold a debriefing. This is done whether it was a tabletop or a large-scale multi-agency functional exercise or a real incident.

The debriefing covers:

  • What went well
  • What went wrong
  • How can we do better
  • This worked great and we should implement it more
  • What did we learn – Lessons Learned
  • What are your takeaways
  • Let’s revisit and have a conversation on what we need to improve on

The reason why they exercise so often is because  make mistakes. It’s also part of training and educating. Taking corrective action and using criticism and critique in a positive way. The repetition of doing assists both actual memory and muscle memory. Some actions also become habit. These habits can be both good and bad. It’s also an excellent way of highlighting bad habits so they are corrected.

When it comes to businesses, crisis teams don’t exercise nearly enough. Many will do this once, maybe twice per year. And if they do, that’s a lot.

But more than just frequency alone crisis teams in the business world need to also take a different approach and outlook. Every exercise should be looked at as an opportunity to learn, expand skillsets, stepping beyond comfort zones, and training for the future.

Additionally, every exercise does not need to be disruptive. It can be as simple as getting in a room, conference call, or zoom/teams/insert your other favorite video conference provider and having a discussion that asks:

  • What do we do when (insert event or impact)
  • How will we handle (insert event or impact)
  • Are we prepared for (insert event or impact)
  • Have we considered (insert event or impact)

In fact, this can be done far beyond crisis teams. Each of your departments and teams that hold regular team meetings or get-togethers can take 3, 5, 10, or even 15 minutes to discuss topics depending on what is on the regular agenda. This can be done every meeting, every-other meeting, or even quarterly.

You’ll see changes to your planning and preparedness levels. You might even see changes to your long-term culture. Trust me that’s a good thing.

This is why we exercise.

 

Over the past few years, business leaders have been reminded repeatedly of the unpredictability of doing business in an uncertain future. This has certainly been the case for the past two years as business owners faced devastation from both humanitarian and natural disasters.   

As the world gets riskier, being prepared for disruptions and disasters impacting your business is extremely important. Why? In addition to preventing severe financial losses, it can prevent companies from “closing their doors”.   

To celebrate April’s Financial Literacy Month, I will share examples of what happens when you do not have a plan and outline strategic steps on how to build a resilient organization during the next crisis.  

NOT PLANNING FOR THE UNEXPECTED 

Even seemingly small events can have major impacts on a business. Consider the following events causing major impacts to businesses:  

  • A car hit a fire hydrant in front of an antique bookstore causing damage to 1,500 antique books costing $300,000 in restoration and repairs. 
  • A bad database upgrade and upload resulted in the database transaction processing idled for seven days; resulting in the loss of two major clients.  
  • Even a trader was impacted by a power loss at his home.  Due to the outage, he was unable to execute a trade to exit a position and lost $70,000.00 in a single day.  

Tessco Technologies 

Let’s look at what happened with Tessco Technologies, a supplier of wireless communications products for network infrastructure, site support, and fixed and mobile broadband located in Baltimore, Maryland.  The business was not in a flood, fire, or earthquake zone.  In this case, the culprit was a faulty fire hydrant, which caused several hundred thousand gallons of water to be blasted through a concrete wall leaving the company’s primary data center under several feet of water.  It also left 1400 hard drives, and 400 SAN disks soaking wet and caked with mud and debris. 

PREPARE, PREVENT, PROFIT

Businesses don’t need to be located in a disaster zone to be impacted by a disaster.  The key to protecting your business is to prepare with a plan that is well documented and has strategies you can rapidly put into place.  

Below are five reasons why business leaders should prepare: 

  • Quickly respond and adjust to a disaster or disruption with strategies that allow you to shift and pivot your business for a more expedient recovery 
  • Reduce or even eliminate financial losses by implementing strategies that reduce the impacts 
  • Obtain better insurance rates and coverage for instant Return on Investment (RIO) 
  • Meet government, regulatory, and customer requirements calling for contingencies 
  • Maintain business reputation and share price 

A well-documented plan can help you quickly respond, adjust, and pivot to alternative strategies. As part of proper planning, it is important to know what the delayed and lost revenue to your business will be as well as the potential for increased expenses and other recovery-based costs that will impact your business.  

The first step is to calculate what your downtime costs would be. This is usually directly representative of lost revenue. It is important to note that even delayed revenue can have a significant impact on a business’ cash flow, whether daily, weekly, or monthly. Even if all your income is only delayed, having a reduction to cash flow can shut a business down quickly.  

By taking the time to do even basic downtime calculations you can begin to take steps to protect your revenue-generating processes. 

ASSESSING THE FINANCIAL IMPACTS OF BUSINESS DISRUPTIONS 

Many organizations skip the Financial Impact Analysis.  This is a mistake. Conducting a Financial Impact Analysis is critical to helping a business understand the actual financial impact a disaster or disruption can have on a business. With this process, businesses can select strategies to enable a recovery that makes sense financially and gives leaders peace of mind that no matter what uncertainties the future may bring, organizations will thrive and even profit for years to come.  Let’s take a look at the top five: 

  • Providing insight into Business processes and Applications that when impacted by disruption will cause the business to have lost or delayed revenues 

This first step will allow a business to determine estimated or in some cases exact dollar amounts in lost and delayed revenue from a disruption. Even a basic calculation of these lost revenues can quickly inform a business where they can and should focus their preparedness efforts. Notice this is preparedness, not recovery efforts. This is because a large part of getting this right is done during the preparedness phase pre-disaster.  

  • Allows for proper cost-benefit-analysis of (to implement) right-sized recovery strategies 

This calculation then allows the business to focus its strategies on key critical core functions that are most likely to be impacted by revenue losses and cash flow issues. This deeper insight helps the business to focus resources, time, and money on these critical functions with better data backup, record retention, and manual recovery strategies rather than through resources in business areas randomly that may not need as much or any strategies.  

  • Potentially reduced insurance premiums along with increased insurance coverage 

Additionally, presenting your insurance company with a well-thought-out preparedness plan in many cases can reduce your insurance coverage premiums, provide you with increased coverage, or both. Just recently I helped a large Biotechnology company obtain an additional $500M in coverage for a total of $2B in total Property and Casualty Insurance Coverage with zero additional increase to their premiums.  

  • Better insight for the selection of Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and Maximum Allowable Downtime (MAD) 

Another key benefit is rather than selecting arbitrary Recovery Time Objectives (RTOs) for your business processes or Information Technology Disaster Recovery (ITDR), you can tie these to your financial impacts and set clear goals that are meaningful to your business.  

This would allow you to implement a preparedness or IT recovery strategy that enables you to recover in the time you need and more importantly, save money. 

  • Greater ability to measure effective Return on Investment (ROI) of Business Preparedness Measures 

When you take the time to do even basic financial impact calculations, it also becomes much easier to measure and obtain better ROI. Yet, many do not take the time to do these calculations because they believe it is too difficult, they don’t know where to start, or even how to apply the outcome of these calculations.  

MAKE YOUR BUSINESS MORE RESILIENT  

At the Erwood Group, our business is helping your business stay up and running after and ideally during a crisis or disruption. Whether you need help with business continuity planning, crisis, and incident management, or need better disaster recovery options, we’ve got programs and services to make your business more resilient so that you can prepare, prevent and profit even in a disaster.  

To celebrate April’s Financial Literacy Awareness month, I am offering a free consultation to help your business survive the next disaster and provide critical strategic steps to prepare, prevent and profit in an uncertain and unpredictable future.   

Contact Keith Erwood, Business Preparedness Expert, ERWOOD GROUP. 

Supply Chain Disruption Forcing San Diego Businesses to Make Tough Decision this Holiday Season

Local Crisis Management Expert Believes Distributions Challenges Are an Opportunity, Not a Crisis.

The Halloween decorations have been put away and we are now entering the holiday shopping season. Sticker shock will be this year’s theme, if you can find what your looking for that is. 

SAN DIEGO—The global supply chain crisis, which includes thousands of unloaded containers with merchandise lingering on ships in major US ports, coupled with skyrocketing gasoline prices, a worker shortage, and a huge increase in consumer demand, is forcing local companies to make some tough decisions heading into the competitive holiday season.   

According to Crisis Management and Business Continuity Expert, Keith Erwood, Business Preparedness Expert of ERWOOD GROUP, companies must decide three important questions:  will they pay higher prices upfront to receive overseas goods, pass the increased costs onto their customers, or retreat from overseas markets, all together.

Keith Erwood: “Our data and research indicate, things will get worse before they get better.   However, the supply chain disruption should be viewed as an opportunity, not a crisis, for our San Diego business owners. There are steps companies can make to ensure resiliency and identify key strategies you can take to build a stronger supply chain.’

To help local businesses survive this holiday season, Crisis Management Expert, Keith Erwood, Business Preparedness Expert of ERWOOD GROUP has outlined strategic steps to handle the supply chain disruption:

Diversity of Supply Base

To help untangle the global supply chain mess, businesses need to move away from depending on a single supplier overseas, like China or Vietnam and find local suppliers where possible to fill critical components or materials. This is because local suppliers can deliver products much quicker. It is also easier for a supplier to coordinate a shipment across the neighborhood than around the world.

Forecast Demand

Companies need to focus on delivering quality best-selling products to their consumer-base, instead of trying to keep shelves packed with non-essential slow-moving items.

Erwood said, “There is a false narrative being shared in the media right now that holding and buying increased inventory will allow businesses to meet high demand over the holidays.  This is a mistake.  If demand for a product decreases, deep inventory can become a financial liability and environmental waste.  This is especially true for technology, fashion, and perishable products that rapidly lose value and salability over time.”

Be Honest

Research and data at the ERWOOD GROUP predict supply chain imbalances will continue into June 2022, due to inflation, workers shortage, and the impact of the Delta variant around the world—especially in South Asia.

Erwood said, “For this reason, you must be very honest with your customer, even when it hurts. 

Plan for Recovery

Companies should think beyond short-term disruption to long-term company survival. Disruption can be seen as an opportunity to thrive and make tough business decisions, like a long-desired reorganization or cutting non-performing products and customers.

Buy Local

It’s no secret supply chain issues have taken a toll on small businesses importing materials.  For this reason, San Diego consumers must start buying from local businesses to change how they operate. By relying less on goods and services from outside markets you can boost regional and local economies.

GUEST BOOKING:

Keith Erwood is available for live guest segments. To schedule your interview, please contact, Kristi Angevine, Publicist, ERWOOD GROUP at kangevine@gmail.com

 

About ERWOOD GROUP

At the Erwood Group, our business is helping your business stay up and running after and ideally during a crisis or disruption.  Whether you need help with business continuity planning, crisis, and incident management, or need better disaster recovery options, we’ve got programs and services to make your business more resilient so that you can prepare, prevent and profit even in a disaster. For more information visit erwoodgroup.com 

VALUE

How Business Continuity Provides Value to A Business. There are many ways in which Business Continuity can provide a business with tremendous value. Not just during an activation of the plan itself, which may keep the business from suffering substantial losses, but even during times of normal business operations. How? You ask!

The first and most obvious to many is that business continuity planning helps organizations obtain reduced premiums on insurance. Another is that it assists in providing consistency across the enterprise and increased efficiency. Let’s look at each of these and others in more detail.  

  1. Reduced Insurance Premiums: It is well known that having a well-established Business Continuity Plan can assist businesses in obtaining a reduction in premiums for business interruption, supply chain, cybersecurity, and other forms of insurance.

Not certain if your provider will or has reduced your premium? Contact them and ask. If they aren’t willing to (though a majority will) start looking for a new provider that will.

In some cases, we have seen providers work closely with the client to further mitigate risk by providing additional assistance and suggestions. You might also find that an unacceptable risk before having a business continuity plan, becomes more acceptable with insurers now willing to underwrite the risk since you have written documentation on both mitigating and recovery should the risk occur.

  1. Consistency Across the Enterprise: Often, especially when spread across a large geographic area, a business will have different processes to complete the same task. This can often lead to confusion, inconsistencies, delays, lack of trained personnel, and frustration.

These disparate processes are easily found while creating the plan and easily consolidated into one or two (as a backup) processes for complete a specific task. This creates consistency across the enterprise, reduces waste, and even provides for more personnel in having knowledge of how to complete the same processes and tasks. This is also good for workforce continuity should the need arise, especially if having to move the process geographically due to business disruption.

  1. Increased Efficiency: Business Continuity Planning encourages the organization to perform deep-dive analysis into their processes. Mapping out the processes allows the business to find strengths, weaknesses, and inefficiencies and make improvements.

The refining of these processes over time helps the organization to increase efficiency maximizing operations for capacity, agility, and growth finally leading to better cost management.

  1. Meet Government Mandates: While there are currently no government mandates to have a business continuity plan, mandates do exist that can cause a business to meet severe penalties and fines if not met. Such as meeting payroll on time and accurately.

Having a business continuity plan in place for these processes ensures that they can be maintained effectively during a crisis or disruption keeping the business from facing steep fines.

  1. Meet Legal and Regulatory Requirements: In addition to governmental mandates, organizations face legal and other regulatory requirements to have business continuity and contingency plans. While it may not seem obvious at first, many businesses face Service Level Agreements (SLAs) and other contractual agreements that if unmet, can cost a business lost revenue and penalties.

In addition, businesses MUST meet requirements from regulatory bodies to have proper business continuity plans in place. Sometimes including specific requirements and within specific time frames. One such requirement is FINRA 4380. In addition, these regulatory rules have changed from time to time, only increasing in strength.

  1. Meet Needs of Clients and Business Partners: Having these Business Continuity plans in place allows the business to quickly meet the needs of its business partners. Many large organizations now require their vendors and business partners of all sizes to have and maintain a business continuity plan in place before they will even consider conducting business with them.

This gives the businesses that already have the plans and contingencies in place and obvious business edge against competitors and increased business value. as such businesses can command higher prices or premiums on goods and services they provide to other organizations.

  1. Increased Business Value: Organizations that have business continuity and contingencies in place can quickly meet the needs and requirements of their business partners. As such these businesses can command higher than normal prices and a premium when showing they can continue to support their clients and business partners during major disruptions.
  1. Reduced Business Liabilities: Business that have business continuity plans frequently find hidden exposures to the business and take steps to mitigate, reduce, or remove the risks and reduce the overall business liabilities that otherwise might have been unforeseen.
  1. Alignment of IT with Business Strategy: Business continuity planning assists the business in aligning business strategy with IT strategy. Too often businesses have communication and alignment gaps between business and IT strategy which leads to increased frustration on both sides.

Business continuity planning allows for the defining of critical, important, and non-essential processes along with supporting applications and other IT functions so that you can recover your critical processes quickly.  

  1. Alignment to Maturity Model: Business continuity planning allows for the natural progression to a maturity model from non-existent, to repeatable, through to the optimized level.
  1. Alignment with Risk Management: Businesses with mature business continuity plans successfully align with Risk Management to further reduce liabilities and have strong contingencies in place for risks that will have a high impact on the business.
  1. Alignment to Vendors and Customers: Business continuity planning allows you to take a closer look at your vendors and suppliers and see how they will handle your needs during a disruption. This also allows for deeper and closer partnerships with your first-tier vendors and to work together to achieve objectives during disruptions to either entity.

The same can also be said for your most important clients. Well defined contingency plans account for working with top-tier and other clients during disruptions.

  1. Institutionalization of Program: Organizations that implement and maintain their business continuity plans tend to develop institutionalized programs. Meaning the future life and maintenance of the planning itself becomes an embedded process within the organization.
  1. Preparedness as a Culture: Developing a solid business continuity plan likely will create a culture of preparedness and employees will take a natural course to ensure the continuity of new and emerging processes and tasks that develop.
  1. Maintain Operations During an Emergency: Business continuity plans enable organizations to operate after, and ideally during a major crisis or emergency that might arise within or around the business.
  1. Increase Return on Assets: Businesses with continuity plans tend to keep greater track of critical and important assets. This allows the business to take action to realize and recoup the value of assets. This can be done through getting the full life out of the asset, donating the asset, and many other methods to achieve monetary value out of assets that otherwise would have not been achieved.
  1. Safeguard Critical Business Assets: Business Continuity planning allows for businesses to better safeguard critical assets in a variety of ways. Whether through insurance, hardening structures, or other methods. Planning makes for the identification of critical assets to take further action when required.
  1. Safeguard Business Reputation: Business continuity planning with well-defined crisis communications plans can help mitigate and, in some cases, prevent major impacts on an organization’s reputation.
  1. Safeguard Employees: Business continuity plans can also account for the safeguarding of employees and their workforce.
  1. Training and Education: Business Continuity Plans that are properly tested and exercised makes for a greater success of recovery during a disruption through continuous training and education.
  1. Discover Hidden Business Value: Business continuity planning creates opportunities for finding hidden value in the business. This is achieved through consolidation and deduplication of processes that may overlap. Better and more refined processes and new ways of conducting processes. In some cases, it also leads to new ideas and opportunities to provide to clients and customers.

It is not uncommon for organizations with business continuity plans to be able to quickly and efficiently respond to market and geopolitical changes and increasing their competitiveness.

  1. Reduce Revenue Loss: Business continuity planning leads to reductions in revenue loss.
  1. Increase Return on Investment ROI: Numerous cases exist for increased ROI with Business Continuity, among them are better-defined Disaster Recovery strategies and implementations often leading to cost reductions.

Businesses that faced disruptions with well-defined business continuity plans, could react quickly and adjust leading to profits while competitors struggled to recover.

business continuity plan

 

Throughout the course of my career spanning over 25-plus years, I’ve witnessed many planners and organizations getting stuck during their continuity planning. This happens for a variety of reasons including how you manage the overall program. Here are some important ways on how to get ‘unstuck’ in your contingency planning.

The BIA phase is one of the most common phases that organizations and planners get hung up on and end up being ‘stuck’ in without making progress and moving on to the strategy selection and planning stages. This happens when you’re trying to get everyone through the BIA process prior to moving on into the other phases.

In large organizations with many business units and processes getting ‘stuck’ in this part of the business continuity process can easily derail your entire program. In fact, I have seen a healthcare organization 3 ½ years into their business impact analysis with an estimated six more months remaining until they thought they would complete this phase of the program. They also felt it wasn’t productive to move forward into additional steps prior to completing all BIA’s for the entire organization.

Three years in, it is highly likely that the data you collected in the beginning, is no longer valid. In most cases, a BIA should be completed every two years. In some cases, a BIA is completed once per year. So being 3 1/2 years in without further progress is not beneficial to the organization or to your program.

How to Avoid Getting Stuck

Solution

The best way to avoid getting stuck in the first place is to have a solid plan before you start with your first BIA. Determine how many BIA’s you will need to complete overall. Once you do this, you can easily break them down into smaller groups of four or five and plan out how many rounds of these groups you will have to do.

Start with your first group of business units and complete the BIA process with this first group. Once this is completed, move the first group into the strategy selection and planning phase and get your next group ready for their BIA phase.

Splitting your business units into groups allows you to continuously cycle them through each phase of the planning process. This allows them to move along in the process while the information is fresh, maintains the momentum, and rapport you built during the BIA process.

This also allows other groups and your management teams to see and experience the progress of your planning program which will contribute to your success.

What to Do If You’re Stuck

Time for Action

Here is how to get ‘unstuck’ in your contingency planning if you’re already in a situation where you might be having trouble moving the needle.  There are a few things you can do to start your planning moving forward again. Since you want your business continuity program to be successful, I recommend that you start with the most recent business departments that completed their BIA’s. Moving them directly into the strategy selection and plan building phase.

Then go back to where you started in the beginning and meet with the departments that completed their BIA’s the furthest back in time. Review the data that you have looking for changes and make the necessary adjustment to the data you gathered.

Once you do this you may find that you can move these business departments into the next stage of strategy selection and plan creation and documentation. In some cases, you may find that so much has changed, from personnel, processes, responsibilities, and even applications that you might have to redo the entire BIA process again.

Don’t fret, simply continue this process, and as you find departments that have little to no changes move them along into the next phase and redo BIA’s for those groups that have too many changes to quickly gather the data.

This may seem like you’re moving backward at times, but you’ll be making more progress than you were previously by moving business units into the next phases.

Keep the Momentum Going

Once each business department group completes the creation of their planning document, move them into a tabletop walkthrough to look for gaps. missing information, or something that might cause an issue during recovery.

These groups can then be placed into a maintenance category where the plan will be reviewed at least once per year. Hopefully, someone will be dedicated to keeping the plan updated as changes are made making this process of doing a yearly review much easier.

If you need more help getting unstuck in your business continuity program book a free consultation today

Book Consultation

 

The Importance of Business Continuity

The Importance of Business Continuity is an extensive Whitepaper first written in 2009 by our CEO & Principle Managing Consultant – Keith Erwood. It is newly updated with fresh content, new stats and important new information.

The Importance of Business Continuity is a great resource

Importance of Business Continuity open
Importance of Business Continuity open

For continuity professionals and practitioners as well as business owners, executives, and business managers who have or are looking to implement Business Continuity and Disaster Recovery programs in their businesses. 

For those new, to Business Continuity the Importance of Business Continuity provides a brief overview of what business continuity is and why you should have a continuity plan, but more importantly how to get started developing and implementing your own program for business resilience and preparedness. 

Inside The Importance of Business Continuity, you’ll learn more about minimizing downtime, Protecting strategic elements and assets, maintaining your reputation, communicating efficiently, resuming operations, how preparedness measures mitigate costs, methods of calculating ROI, and more. 

You’ll learn key statistics such as The impacts to a Pharmaceutical giant following a ransomware attack in 2017, a staggering percentage of small businesses impacted by breaches in 2018, as well as how much the average cyberattack is costing businesses of all sizes – hint, it’s over $100,000 and the amount may surprise you. 

The Importance of Business Continuity is a great resource to have at your fingertips or close by to facilitate discussions with your executive management team, crisis management team, IT recovery team, and anyone else that you might want to discuss business continuity or disaster recovery with. 

We’ve also updated our section on How to get started – including the basis, communications, data protection and more for larger businesses. The best part is it’s free.

We’d like to add here at the Erwood Group, we are driven by our purpose to our relentless commitment to preparedness so you can Prepare Prevent and Profit. The Importance of Business Continuity should help you do just that. 

Click the button below to be taken to the page to access The Importance of Business Continuity

 

Get Whitepaper