We are Excited to Announce and introduce our new and Free Basic Risk Assessment Tool. The best part is it will be part of our Forever Free Initiative™ to help businesses better prepare for disruptions and disasters.
Risk Assessment Tool Screen Shot
We at the Erwood Group believe that the Free Basic Risk Assessment Tool will be a game changer for the small and mid-sized business market for removing the obstacles required to complete a risk assessment quickly and efficiently.
This is important because one of the most basic reasons for business continuity or contingency plans to fail is the lack of a risk assessment or understanding of how those risks will impact the business.
Our proprietary tool is easy to use and will quickly calculate an Overall Threat Rating based on the Probability of Occurrence and the Impact Severity on key core operations of the business.
The Basic Risk Assessment Tool will be a part of our Forever Free Initiative™ to provide all businesses with better preparation for disruptions and disasters.
Now a business can quickly and easily assess how a hazard or scenario will impact their business and determine what risks will have the greatest impact on their business. You can access the Basic Risk Assessment by clicking the link here:
Be sure to check out the Free Basic Risk Assessment Tool and share it with your friends and colleagues to help us spread the word about this great tool.
So, what is business continuity anyway? It’s a great question. It’s also a question that comes up all the time. It should have a simple answer, yet the definitions and answers I hear are often long-winded and complex. So, what is business continuity? Before I give you my answer, let me provide you with the definition from the National Fire Protection Agency (NFPA) 1600 (Which is their Business Continuity Standard).
According to the NFPA 1600, Business Continuity is An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services.
I like to keep things simple, so the above is the simplest of all the definitions out there. What do you think about the definition? Do you like it?
Yeah, me neither. As I said, I like to keep things simple. So, let me give you, my definition.
Now that we know that business continuity in its simplest form, is disaster preparedness for business; we need to discuss more how as a business we properly prepare for disasters and disruptions.
According to the DRII, Professional Practices are a body of knowledge that provides a framework to develop, implement, and maintain a business continuity program that reduces the likelihood for significant gaps and increases the cohesion of the business continuity program.
The Professional Practices are broken down into ten areas as follows:
Addressing each of the areas named above as part of your business continuity program increases your ability as a business to recover and operate the business. To continue to provide goods and services to your clients and limit potential losses to revenue, reputation, and customers.
Business Continuity Program Initiation
One of the most important parts of a business continuity program is getting it started in the right way. Doing so sets both you and your business up for a successful program.
Here is how to get your program started the right way.
Establish the need for a business continuity program
The first step is determining the need to start a business continuity program. While every business has the need and should have a business continuity program and plan, establishing the need for a program within the business is not always easily accomplished.
To establish a Business Continuity program, you will need to gain the support of others within your business.
Obtain support and funding for the business continuity program
Sometimes gaining support is easier said than done. Here is how to go about gaining support for your business continuity program. You will need to speak to your colleagues, managers, and executives within the business to obtain both support and funding for the business continuity program.
While business continuity is often looked at as a cost center in that it doesn’t directly attribute revenue to the business, it is an extremely important activity that reduces potential and real losses in revenue in several ways. It also reduces costs. Let me provide you with real examples that some of our clients have had results with.
One client recently obtained a $500 Million dollar increase in insurance coverage with zero increase in premium costs. This was done based on the Business Continuity Plans and Program developed after meeting with the insurance providers and providing details of the program and progress made.
Another client was able to reduce potential losses of over $149 Million by reducing Recovery Time Objectives (RTOs) from 45 Days to just three days and planning accordingly resulting in a savings of 93% or $139 + Million Dollars. With the new strategies in place, the potential loss over three days was approximately $10.5 Million dollars. However, since the RTO was reduced to just three days, the likelihood of a loss in revenue was effectively reduced to zero since the customers being served would likely not leave based on just a three-day disruption. This assumption was made based on historical data from other national labs.
Additionally, many businesses are asked to meet business continuity and disaster recovery requirements from their customers that want them to ensure that the products and services they provide to them are met even after a disaster or disruption. This allows for businesses that have robust business continuity programs in place to increase their pricing as well.
One of the methods we use here at the Erwood Group is to provide our clients with a Financial Impact Analysis that allows them to visualize the monetary and economic value and utility of implementing a business continuity program. Additionally, we also like to educate them on the many ways in how business continuity provides value to a business.
Once we change the conversation with business executives and managers to how business continuity provides value and show various ways the business can reduce costs and obtain a return on investment (ROI) implementing a business continuity program just makes sense.
Build the organizational framework to support the business continuity program
Support from executives isn’t the only type of support you’ll be needing. An effective business continuity program needs to create an organizational framework, systems, methodology, teams, charters, and supporting statements and policies to be in place to support the needs and requirements of the program.
Additionally, you’ll need someone, preferably a team, that works on and within the business continuity program on a continual basis to keep the program running smoothly.
Charters. Polices, and Statements
Charters, Policies, and even statements can and should be created. The biggest question is which do you need? Ultimately it depends on the needs and requirements of your organization. However, at the very least you should have a general Business Continuity Statement that you can provide to customers that ask if your business has a business continuity plan or program in place. I’d also recommend having a client-facing business continuity statement on your website that is viewable to all current and potential future clients. Keep these statements at a very high level and provide a point of contact if someone wishes to formally ask deeper questions.
A business continuity charter outlines the overall program in its scope, timeline, standards used, its purpose, who heads it and has ownership, the departments, team members, or key players, the implementation of a steering committee, the lifecycle of the planning and program, the actual details of the framework to develop, implement, and maintain the plan and programs over time, and how often reviews and exercises will take place. Ultimately, it is a highly detailed document with executive approval and signed that details the processes of how the business continuity program will be run, managed, and overseen.
A policy is a high-level document that states business continuity is part of the business, is organizational-wide, and discusses standards and rules as enforced by the business. It is not as detailed as a program charter is.
Do you need a Charter and a Policy? No. However, if given a choice a charter with its details should be the first and optimal choice. If your organization requires a policy, you may opt to develop both or create a policy that has the depth of a charter.
Steering Committees
Depending on the size of your organization, or as a matter of policy within the organization you may need to or want to create and have the support of a steering committee for your business continuity program. In a smaller business there may not be a need for one, but in a large business with a lot of resources, moving parts, and constant changes it is almost a necessity.
It is usually best to have steering committee members made up of upper management teams that oversee the departments that will be involved in the business continuity program so that they add authority and convey the importance of getting the program off the ground and running smoothly.
In the beginning initial stages of the project, it may be necessary to meet more frequently, but ultimately meeting once per quarter is often enough.
How Many and What Departments Will Be Involved
This is the best time to start planning how many and which departments will be involved. What you want to do primarily is focus on core critical business functions. The difficulty arises when you have a large enterprise with many critical functions spread across the globe.
In the case of large global businesses with many critical core functions, it is best to start this planning early and this is how many larger companies run into trouble or get ‘Stuck’ in one of the phases of the business continuity program process. If you have gotten stuck – Learn How to Get Unstuck in Your Contingency Planning.
At this stage, it’s best to start planning your strategy for how you will move each department through each of the phases of the program. Usually, with 10 or more departments, I usually recommend breaking them into groups of five. This allows you to conduct your first set of Business Impact Analyses and then to quickly move this first group into a strategy selection phase while the BIA is still fresh in their minds.
The BIA phase is a key area where many businesses get stuck. They try to cycle everyone through the BIA phase before moving to the next phase. The reason this becomes an issue is it takes time to do over a large set of departments, functions, and groups. By the time you reach the end, often years later, the original BIAs become stale and irrelevant, and people also have forgotten what was discussed.
This also accounts for a lack of progress and therefore executive buy-in starts to wane and diminish as well.
Here’s what we at Erwood Group do. As we move the first cohort into the strategy selection phase, we also bring the second cohort into the BIA phase. We continually cycle each group through the phases this way to avoid getting stuck, to show progress, and keep executive buy-in, and group participation high. It allows others to see progress being made and achieved. It also assists in boosting results and maintains the momentum of the program.
As soon as you can determine what departments or functions will be taking part break them into smaller cohorts. Then begin laying out your project roadmap through the phases of the business continuity program.
Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing
This is also the best time to introduce and discuss the key concepts around developing and implementing your business continuity program. You’ll want to discuss the following with your colleagues and management.
Business Continuity Program Management
It’s important to lay the groundwork early on around how the business continuity program will be managed over the short-term including how the program will be initiated, developed, and progress into a long-term, everlasting program and how over time you will get there. It’s important to discuss as you will want to include these key details into the charter we discussed earlier.
Risk Awareness
You’ll want to address and raise risk awareness around the risks that the business faces as well as their impact on your business and operations. This is particularly important if you do not have a risk management team in place currently.
Identification of Critical Functions & Processes
Before proceeding with the various phases of the program initiation and development, time should be spent identifying core and critical functions and processes that are required to keep the business running.
These Functions and processes should be focused on:
Life Safety
Revenue Generating or Revenue Sustaining
Customer-Centric Contractual Agreements (SLAs)
Regulatory and Compliance Related
Other Legal Obligations
Note:In many cases, most businesses will need to worry about things like shelter-in-place or evacuation of people and that’s as far as their life safety concerns need to go. However, for other settings such as in healthcare facilities, life safety considerations need to be first and foremost prior to considering revenue generation. Not that revenue generation is not important in these facilities, but that life safety considerations need to be at the forefront.
Also, doing this early and having a clear determination on which functions and processes to consider for your business continuity program and which will have business continuity plans developed will prevent you from getting stuck on which areas of the business or organization should participate.
If not done with the outline presented above, you will, and still may face a lot of pushback from other functional areas that consider themselves critical. They may in fact be during normal business operations, but in the grand scheme of continuing operations during or post-disaster or disruption these will have little impact on the organization until operations return to normal.
Recovery Strategies
Now is the time to meet with executives to establish sensible and workable business continuity recovery strategies.
For instance, most businesses today declare that employees can work remotely, and this is perfectly fine. We just need to be sure that processes and systems are in place to handle this. Since the COVID-19 lockdowns have occurred, this is generally not an issue in most cases today.
However, some businesses can’t have every staff member work remotely. Such as manufacturers, laboratories, distribution centers, and other warehouse workers are needed to keep working at specific locations and in many cases, they require specific pieces of equipment to continue working.
In some situations, employees need to shift work to an alternate worksite. Considerations for notifying employees, and even providing transportation and/or accommodations to employees may be required as well.
You’ll need to select viable business continuity recovery strategies for the following areas:
People
Properties
Processes
Technology
Vendors
Training and Awareness
This is also a great time to begin to think about how you will conduct training and awareness within the business continuity program. There will be two key times for raising awareness and several opportunities to conduct training.
The first real opportunity to generate awareness will be to have business continuity program kick-off staff meetings. Holding these meetings is your best first chance at providing high-level awareness around the business continuity program, how it will be conducted, who will be participating, who at the executive level is supporting the effort, what resources are required, and how much time will be needed, and key the phases. Another key time for raising awareness is during exercises.
Depending on how you implement, develop, and run the program you’ll have several opportunities to provide training. There can be training provided prior to or during key phases of the program. The number one method of providing training throughout the program into the future will be during exercises.
Exercises, Training, and Testing
As we just mentioned, you will be conducting exercises once the plans are developed. This is done to look for weaknesses, gaps, learning (training), awareness, building confidence, developing new strategies, working with interdependent groups, discovering new interdependencies, and more.
While many use a “Crawl, Walk, Run” approach (I hate that saying) we at the Erwood Group developed our own methodology and system developed by our own Keith Erwood Called Learn, Practice, Implement, Challenge™.
The reason I hate the crawl, walk, run saying is that it is too vague and provides no real insight into what you should be doing during the exercises. It provides no information on what the overall goal of the exercise should be or at what stage in the process or program the teams are at.
This is the main reason why Learn, Practice, Implement, Challenge™ was created. It provides a clear set of objectives that should be happening at each stage. It also provides a logical progression of where we should be over time. Ultimately, the end goal of a mature program is that we should be able to hold exercises that push seasoned plans and their teams to grow and expand and find new ways or strategies to overcome any obstacle. It also provides a safe environment to learn (potentially to fail and learn in a safe way), and to build skills and confidence in the teams’ capabilities.
We’ll talk more about exercises later. Just know that the Learn, Practice, Implement, Challenge™ methodology can and should be implemented as part of the business continuity program development as well.
Risk Assessment
Risk Assessments are extremely important to conduct and it is in fact one of the reasons Why Business Continuity Plans Fail when they are not done or done inadequately.
A Risk assessment can be basic or complex as to its depth, but it should not be glossed over or skipped. If you’re part of a large organization that has some type of existing risk management team in place, partner with them to obtain the latest risks to the business.
If your business or organization has no risk management team or process in place visit the Chief Financial Officer as they are the ones responsible for operational risk and find out if a risk assessment has been done.
If no risk assessment has been done, it is easy to do a basic risk assessment. If you need a resource for this, you can click the link to obtain our free basic risk assessment. If you need something more robust for your risk assessment than our free resource, contact us to see if you require our Advanced Risk Assessment Tool.
One thing I want to add in this section is a brief statement on risk management. Risk management is important to all businesses. Done properly, risk management allows you to take advantage of upside opportunities, while mitigating downside or negative risks and outcomes.
Overall, risk management is looking at the impacts of what if this scenario occurs. And business continuity, as a subset of risk management and business preparedness preparations, is what we do when that situation occurs.
Identify risks that can adversely affect an entity’s resources or image
The purpose of the risk assessment is to identify the business or organization’s exposure to certain events (most likely negative at this stage) and put mitigation strategies in place to reduce the impacts
Additionally, we at the Erwood Group like to define the top five and top ten potential risks to a business or organization and directly call those out so risk mitigation and controls can be put into place.
Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts
Once the risks and the probability of occurrence are assessed, we begin to look at the impacts on the business should these events occur.
This brings us to conducting an in-depth Business Impact Analysis.
Business Impact Analysis
The Business Impact Analysis commonly referred to as the BIA is one of the most important phases of your overall business continuity program. It is the method used to gather data about your core and critical functions and processes, essentially setting the foundation for your business continuity program and business continuity plans. You’ll use the BIA to gather all the data and information you require to analyze and make key decisions in the development of your business continuity plans.
Here are the key things you’ll be doing with your BIA.
Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available
The first step is to identify and prioritize the functions and processes within the business. You’ll then usually work with the most critical and core functions and processes first. This is especially true if you have many business functions and processes within your enterprise.
Assess the resources required to support the business impact analysis process
Prior to beginning the BIA you’ll need to identify the best resources and Subject Matter Experts (SMEs) for each function and process.
You’ll need to schedule time for each resource and SME for interviews, completing surveys, and potentially completing workshops. It’s best to separate each cohort by department, function, and process to gather the necessary data and ask questions during the interview and workshops.
Key Data to Collect during the BIA
Recovery Time Objective
You’ll want to gather some very specific information during the BIA phase for each function and process. This includes:
Any Dependencies and Interdependencies on other internal or even external groups
Applications, Data, and other Technologies the process requires
What is the Recovery Point Objective (RPO) of any data that is input into the system?
How many people are required to complete the process?
What vendors are relied on for this process?
You’ll also want key contact information, especially for vendors and key employees required to complete specific processes.
While many businesses try to collect the absolute minimum data required for expediency, we at the Erwood Group like to utilize the BIA phase to gather all key data we can during this time. This allows us to complete in-depth analysis, Financial Impact Analysis, Downtime calculations, and more. It also requires the same amount of effort and time, so collecting additional data during this phase just makes sense.
With that said, some people forgo the BIA entirely. This is not a good idea and is in fact one of the common reasons why business continuity plans fail as mentioned earlier. It’s better to do a rapid and minimalist BIA than to not do one at all.
Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements
Once the BIA is complete this is a time to look for obvious gaps in capabilities, lack of manual processes, and a heavy reliance on specific technologies, groups, or key people.
This is also a time to create a BIA report to share with team members, steering committees, stakeholders, and executives.
Business Continuity Strategies
The development of viable business continuity strategies is an essential part of building your business continuity plan. In fact, I would say it is the keystone required to build an effective plan.
As mentioned earlier you’ll need effective and viable strategies for the following areas:
People
Properties
Processes
Technology
Vendors
Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes
Selecting cost-effective strategies as stated by DRII is important but selecting strategies that are effective and viable are just as if not more important. There are strategies that can be implemented that are in some cases zero or low cost, however, most strategies will incur some or significant costs.
For example, asking people to work from home (WFH) seems like a zero-cost solution, that when implemented thoughtfully and correctly requires at least some expense like laptops and VPN. When compared to the cost of an alternate location though, the cost is significantly less.
I’ll do a follow-up post on developing and selecting effective strategies in another post soon.
Incorporating Steps that support the strategies
Once you have the strategies selected you to need to add actionable steps that align and support those strategies that will be implemented.
These steps should be written in such a manner that would allow other team members or other personnel with the same skill sets to complete the steps should one of the main members of the team become unavailable.
For instance – rather than say we’ll relocate to an alternate location, say we will relocate to 123 location address, City, State, Zip.
Or rather than say we’ll utilize an alternate vendor, state something like the following:
Notify Vendor Name of need
Work with vendor to establish timeframe (to reach need or requirement)
Set or establish communication guidelines
Receive notification from a vendor that processes to support you are online (if needed)
Shift work, personnel, processes, etc. to vendor
Remember, the above is an example, but the more details and steps you have the more smoothly things will fall into place during a crisis. You don’t want someone to have to think through a missing step or requirement that will be needed.
Make certain you list any steps that would need to occur internally as well. Will approval be required to complete a step? Would you need to contact procurement? What about facilities? Lastly, be certain you communicate steps to the incident response team.
Incident Response
Once you complete your Business Continuity Plans, you’ll want to consider how you’ll respond to incidents and develop formal written plans on who is involved and how to respond.
There is quite a bit involved here, and though first responders and emergency responders have a formal set of incident response systems in place, organizations develop their response plans to fit their own internal and perceived needs. Due to this the private sector is literally all over the map on incident response.
I’ll cover a high-level overview of what your Incident Response Should look like in a separate post.
Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority
Some sort of incident response needs to be put into place to manage all the parts of an incident, be it a major disaster, a significant disruption to the business or operations of the business, or even a medical emergency on-site, as well as other potential incidents.
The first step will be to determine who will be on the Incident Response Team (IRT) and what each member’s role and responsibilities will be.
For instance, who will be appointed as an Incident Commander? Does this person have ultimate authority to run the incident, and make recovery decisions? If not, who does? What does that look like?
Do any of your personnel have experience with the Incident Command System (ICS) or Incident Action Planning (IAP)?
If you do not have anyone on your team that has experience in these areas I highly recommend taking the IS-100.C: Introduction to the Incident Command System, ICS 100 training available through FEMA. It is free and all members of your team should take the training.
Once you determine who will be on the Incident Response Team and what their roles will be you’ll also need to have an assessment team.
Incident Assessment
You’ll need a team to make initial assessments and ongoing assessments of the situation over time. You’ll also need to develop a formal written process and reporting document to make assessments to provide to the Incident Response Team.
These initial assessments can and should be done quickly by the assessment team. As an example, as a former first responder, we would always do a quick 10-second scene survey upon the first arrival at the scene of an incident. It’s a simple quick look around, what do you see, and what determinations can you make in that initial look?
For instance, if you had to evacuate a facility due to a fire, and it is actively burning and you can see flames and smoke, odds are your facility will be unusable and require repairs. It is possible during a later, secondary or tertiary assessment that it is determined that damage was less extensive and only to a specific portion of your facility and only a section or sections will remain unusable.
For a business organization, you should have someone knowledgeable and capable from facilities and information technology to be on your assessment team. Others may need to be added depending on the business type or industry as well.
Define requirements to develop and implement the entity’s incident response plan
Next, you’ll want to establish requirements for how you’ll develop and implement the incident response plan. When it will be activated, how it will be activated, how members will be notified of an incident, and the activation of the plan.
Over time, your incident will evolve and incorporate lessons learned from other incidents and protocols will be developed for when specific key things occur within your business.
Initially, you need some starting points as to how and when the Incident Response Team should meet. Additionally, they should be able to meet in person, virtually, and by phone or radio as needed.
Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate
At some point, you should exercise and coordinate with outside organizations when possible. At the very least you should have contact information for your local emergency responders, such as your local fire department, police station, office of emergency management, hospitals, utility providers, and more.
Reach out and talk to the local fire and police chiefs and invite them to come to visit your facility.
When an incident occurs, you will have members of your team speaking with and coordinating with these agencies.
You should also have certain information available to present as needed to responders. Some of this additional information could be:
Floor plans
Location of fire risers and standpipes
Location of any hazards or hazardous materials on site
Location of shelter in place
Plan Development and Implementation
When it comes time to develop and write your plans there are a few key things to know. First, when it comes to developing business continuity plans, especially for larger enterprise businesses plans should be developed by department or function. If this is not done, the plans tend to contain too much information and become too large, and that’s when people tend not to want to look at them.
That said, they should be filled with any pertinent information required to recover your business processes, instructions for manual workarounds, and other steps required to continue performing those functions.
If you’re a smaller or mid-sized business with fewer functions and processes, you can get away with developing a single plan for all your functions. But I strongly recommend as you grow, and the plan becomes harder to manage and maintain that you break it into small and more manageable department-based plans.
Document plans to be used during an incident that will enable the entity to continue to function
When you create and document your plans, you’ll again want to cover key specific areas that we previously mentioned:
People
Properties
Processes
Technology
Vendors
Each of the above should be a clearly defined section and lay out the previously selected strategies and supporting action steps for each strategy selected.
Traditionally, all plans were written or printed out and put into binders, and given to key personnel to carry with them at all times. This also presents some potential problems. The biggest issue is the size and weight of the document. No one wants to carry large binders around, especially when they have the perception, that they don’t need them today.
Some organizations have resorted to printing and carrying Quick Action Guides that detail initial responses and details of where to locate copies of plans. Others have resorted to paperless electronic versions and have done away with printed copies altogether. Some have resorted to using Business Continuity Software and only store plans within the software.
These solutions are fine but depending on how the documents are stored present other issues.
First and foremost, do not let your technological solution to business continuity become your biggest single point of failure. I have witnessed several clients store their documentation within their business continuity software solution only to be unable to access the documentation later when it’s needed most.
At the very least store the electronic documents in other locations. Create a repository on a shared drive or better yet, use geographically separate locations to store the electronic versions of your plans.
Keep additional copies in your physical Emergency Operations Center (EOC) if you have one. If you have a Virtual EOC (VEOC) make certain the documents are accessible there as well.
Utilize other methods as well such as push notifications, forced saving to a laptop or desktop, etc.
Of course, refer to your organization’s security and other related policies that relate to this.
Awareness and Training Programs
It’s essential to create effective Awareness and Training programs around your overall Business Continuity Program. The awareness and training should start early on by incorporating kick-off meetings that explain at a high level what will be taking place.
This helps to build awareness early on. At each key stage, some training should take place and it doesn’t need to be complex. It can be a simple overview of what will be occurring during the current or next phase.
As an example, as you get to the BIA phase you can have all or some of the participants attend a workshop explaining what you’ll be doing together. Show the participants the document you’ll be using which builds awareness and familiarity. Explain to them the information and data you’ll be looking for.
When it comes time to sit down with the members, you’ll be meeting to complete the BIA it will be easier to obtain the information you’re looking for. At the same time, you will be building on the previous awareness the participants have at each stage.
Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner
Once the plans are established, I find that it is helpful to put informational material together and send it out in the organization’s preferred method. Such as a monthly newsletter, a weekly chat message, a bulletin board, etc.
Some of the messaging could be:
Through contests where the first to answer correctly might win a prize
Messages about current disasters, and disruptions occurring in the world or to the organization
General details about current plan statuses’
Nonspecific (or very specific) details about what to do
Asking teams to run through a small scenario for 3 – 5 minutes – What would you do if/when?
Business Continuity Plan Exercise, Assessment, and Maintenance
Shortly after creating your business continuity plan, a tabletop exercise should be held. As I mentioned earlier in this article this stage is about learning and building additional awareness. You’ll be looking for gaps, additional interdependencies, and weaknesses within the plan.
Overall and over time throughout the remainder of the business continuity program I like to use the Learn, Practice, Implement, Challenge™ methodology I implemented for conducting exercises, assessments, and ongoing maintenance of the plans.
Establish an exercise, assessment, and maintenance program to maintain a state of readiness
The establishment of a program to exercise, assess, and maintain the plans should be built into the overall business continuity program itself and should be called out and detailed in the business continuity program charter.
Ideally, you should be holding annual exercises at a minimum. Each of these exercises should be progressing through the Learn, Practice, Implement, Challenge™ stage of the exercise methodology. Some plans and teams might need to conduct several stages of practice and implementation of the plans, but the goal should be to achieve a point where teams and plans can be challenged to achieve future success and enhance current strategies.
After each exercise, an assessment should be done (post-incident assessment or after-action review) and clear objectives, outcomes, and lessons learned should be documented.
The plan should then be updated according to the outcomes to make the existing current plans better. The new version should be documented, dated, and signed off on by plan owners and reviewers.
Additionally, a formal process should be documented as to who owns the plans and that person should be responsible for yearly reviews and plan maintenance.
Ideally, plans should be maintained and updated as changes occur to personnel, processes, technology, and vendors. If done as it happens, they are much easier to maintain over time and less likely to become stale and outdated.
Crisis Communications
Making crisis communications part of your business continuity plan and the program is another essential element to a successful program.
It is much easier to communicate during a crisis rapidly and effectively if you establish crisis communications frameworks and templates ahead of time. Rather than potentially omitting key information or providing incorrect information and making a mistake.
Provide a framework for developing a crisis communications plan
Start with building a framework and team around crisis communication. Select who will be on that team and appoint key spokespeople to make statements internally and externally.
You may need to separate and provide guidelines around internal and external crisis communications as well. Ideally, internal communications will come from key people depending on the situation.
Externally there will be times you want the CEO to make statements and there will be times you do not want the CEO to make a statement. Some businesses may choose to have the CEO always be the public spokesperson, and some may elect to never have the CEO do this. In any case, the spokesperson should have some training.
You will want to establish general information to communicate to employees as to what they should say or how to respond if approached by the media, or anyone else. You also want to send out reminders to employees as needed.
Create templates to communicate to internal and external recipients so that the communication is effective, addresses the key information about an event as needed.
Ensure that each message ends with a date and time the next expected communication is to take place. And, if multiple people are making statements, they remain consistent in the messaging. Ideally, it is best to select one spokesperson and an alternate.
Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties
In addition to the information above make certain that additional updates will be made in a timely manner. In major, rapidly changing events it is normal to provide an hourly update. However, information and situations can evolve rapidly. Sometimes it is best to let the media or others wait on an update (but not for too long) to know that an update will be delayed by ten or fifteen minutes. Optionally, early on it is best to state the next update will be provided in 3 hours or more. Make the cadence of the updates part of your framework.
One important additional item for internal communications. You will experience update requests from managers, frontline workers, stakeholders, customers, etc. as to when you can expect a specific process, technology, application, product, or service will become available again.
I will leave you with these three key points regarding this:
You will not want to repeatedly interrupt the people implementing recovery strategies to ask them when it will become available. Work this into your plans and how this is reported and managed.
Develop a system to provide notification to pertinent individuals when these things become available again.
Always end each official update with a time or date and time as to the next update. Make no other updates until that time.
Coordination with External Agencies
Finally, once you have everything else in place, your plans, your incident management team, your crisis communications, and you have practiced a few times you will want to include external agencies when you can in your exercises.
Additionally, you’ll want to make sure that your incident response team is ready to speak to and coordinate with external agencies as well.
Establish policies and procedures to coordinate incident response activities with public entities
Ideally, you can create and incorporate policies and procedures on how to coordinate the incident response with external agencies.
Include policies and procedures on communicating with Fire officials on the scene. You may even want to ask them what their needs will be ahead of time and make certain that information is available on their arrival.
Do police, Paramedics, EMTs, and other first responders know their way around your campus? If not, who will meet them and escort them where they need to go?
How will you coordinate if utility companies need to respond?
Do you know other key agency details and contact information such as hazardous material response teams? Local Office of Emergency Management? Your local Emergency Operations Centers?
So What is Business Continuity Anyway?
Now I hope you learned that business continuity is preparedness for business and you now have the method in which to implement it in your business.
Throughout the course of my career spanning over 25-plus years, I’ve witnessed many planners and organizations getting stuck during their continuity planning. This happens for a variety of reasons including how you manage the overall program. Here are some important ways on how to get ‘unstuck’ in your contingency planning.
The BIA phase is one of the most common phases that organizations and planners get hung up on and end up being ‘stuck’ in without making progress and moving on to the strategy selection and planning stages. This happens when you’re trying to get everyone through the BIA process prior to moving on into the other phases.
In large organizations with many business units and processes getting ‘stuck’ in this part of the business continuity process can easily derail your entire program. In fact, I have seen a healthcare organization 3 ½ years into their business impact analysis with an estimated six more months remaining until they thought they would complete this phase of the program. They also felt it wasn’t productive to move forward into additional steps prior to completing all BIA’s for the entire organization.
Three years in, it is highly likely that the data you collected in the beginning, is no longer valid. In most cases, a BIA should be completed every two years. In some cases, a BIA is completed once per year. So being 3 1/2 years in without further progress is not beneficial to the organization or to your program.
How to Avoid Getting Stuck
The best way to avoid getting stuck in the first place is to have a solid plan before you start with your first BIA. Determine how many BIA’s you will need to complete overall. Once you do this, you can easily break them down into smaller groups of four or five and plan out how many rounds of these groups you will have to do.
Start with your first group of business units and complete the BIA process with this first group. Once this is completed, move the first group into the strategy selection and planning phase and get your next group ready for their BIA phase.
Splitting your business units into groups allows you to continuously cycle them through each phase of the planning process. This allows them to move along in the process while the information is fresh, maintains the momentum, and rapport you built during the BIA process.
This also allows other groups and your management teams to see and experience the progress of your planning program which will contribute to your success.
What to Do If You’re Stuck
Here is how to get ‘unstuck’ in your contingency planning if you’re already in a situation where you might be having trouble moving the needle. There are a few things you can do to start your planning moving forward again. Since you want your business continuity program to be successful, I recommend that you start with the most recent business departments that completed their BIA’s. Moving them directly into the strategy selection and plan building phase.
Then go back to where you started in the beginning and meet with the departments that completed their BIA’s the furthest back in time. Review the data that you have looking for changes and make the necessary adjustment to the data you gathered.
Once you do this you may find that you can move these business departments into the next stage of strategy selection and plan creation and documentation. In some cases, you may find that so much has changed, from personnel, processes, responsibilities, and even applications that you might have to redo the entire BIA process again.
Don’t fret, simply continue this process, and as you find departments that have little to no changes move them along into the next phase and redo BIA’s for those groups that have too many changes to quickly gather the data.
This may seem like you’re moving backward at times, but you’ll be making more progress than you were previously by moving business units into the next phases.
Keep the Momentum Going
Once each business department group completes the creation of their planning document, move them into a tabletop walkthrough to look for gaps. missing information, or something that might cause an issue during recovery.
These groups can then be placed into a maintenance category where the plan will be reviewed at least once per year. Hopefully, someone will be dedicated to keeping the plan updated as changes are made making this process of doing a yearly review much easier.
