Business continuity planning is about more than how to keep a business running in the event of a disaster, it is about protecting the reputation of the business when something does go wrong. In the context of BCP the term ‘disaster’ encompasses a number of events. Natural disasters such as earthquakes, tornados, fires, blizards and floods certainly need to be addressed as any one could cause an office to be closed, employees unable to get to work leading to delays in processing, production and shipping. Technology disasters including server failures, hard drive crashes, viruses and malicious attacks all can also lead to business failures if a continuity plan is not in place to get a business up and running.
Businesses that are unable to recover quickly and efficiently from a disaster with minimal client impact face many risks. Customers may lose faith due to unreliability, slow or missing delivery of a product or difficulty in reaching a representative for assistance. Investor confidence may be tested as the company looks weak and unprepared, and the expenses associated with disaster recovery without a preexisting plan could be astronomical. If a business wants to be able to get back to business quickly with as little negative customer, employee and revenue impact as possib le it is important to have a BCP ahead of time.
When creating, implementing and maintaining a plan there are five aspects that must be addressed:
- Assess potential threats – Time should be spent brainstorming disaster scenarios and threats. All risks should be evaluated, but additional focus should be given to the highest risk and/or most likely scenarios. Determining what systems are affected and how should be here or in the next step.
- Core operations must be identified – These are the systems necessary for the business to maintain day-to-day operations, specifically the primary business function. Part of this process is determining a minimum acceptable level at which the business can run.
- Identify critical functions of core operations – Determining both functional tasks and the required resources, tools or equipment necessary to complete these tasks. This includes finding the minimum aspects of operations that must be able to continue to run to meet the minimum acceptance level. This information allows restricted resources to be directed to where they are most needed.
- Delegate critcal function responsibilities – Ensure individuals understand their responsibilities in the event of a disaster. Employees must know the plan, their role, and how to get necessary resources, tools and equipment to complete their tasks. Distribution of emergency procedure materials and training on said procedure are included in this step.
- Testing and Evaluation – Once all other steps are complete and the plan is put in place, it must be tested and evaluated on a regular basis. Testing may range from fire drills to simulated primary server outages. The plan is evaluated by comparing against various benchmarks and the needs of the business, and should be updated or changed as necessary.