Creating, practicing, and maintaining a successful Business Continuity Management (BCM) program requires detailed documentation, diligence, and discipline. It is an involved process that will only succeed when you have the right buy-in and resources working together to develop, implement, and audit.
“Business Continuity Planning can be described as a three-legged stool,” says Jeff Fulton, former fractional Chief Information Officer (Account Manager) at Safety Net. Jeff boasted decades of experience with BCP for large corporations like American Express and Time, Inc., and he is a Certified Business Continuity Professional (CBCP).
3 Legs of the BCP Stool
The “3 Legs of the BCP Stool” metaphor highlights the foundational aspects essential for a strong Business Continuity Plan (BCP). These legs represent critical components that support your plan’s effectiveness and resilience in the face of disruptions:
- Business Continuity Planning: Yes, the first leg is the same as the concept itself. This is all about the people, places, and processes. During an event, where do people go? What do they need to do to keep the business running? And what’s the plan for each department within an organization?
- Crisis Management: This includes physical safety, employee protection, and related communications. For example, how will you communicate with your staff during a severe weather alert, or relay information to the fire department or law enforcement during a fire or active shooter situation?
- Disaster Recovery (DR): The “things” part of a BCM program. How will you recover from a server failure? A network outage? A cryptovirus? Do you have backups or workarounds in place? What is the priority for systems recovery in the event of a disaster?
Understanding these elements is key to developing a comprehensive BCP strategy. While each component has its unique focus, they are all interconnected and must work together seamlessly during a crisis. It’s important to have a solid plan in place for each aspect and regularly revisit and update them as needed.
12 Professional Process Steps For Business Continuity Management
Without a thorough plan in place, many organizations fail to recover from a disaster. Luckily, we’ve developed twelve professional practice steps to a successful BCM program. Working through the steps is time-consuming, but investing the resources to develop, practice, and revisit a BCP will put you in a position to navigate unexpected outages, natural disasters, or dangerous workplace events.
1. Program Initiation and Management
Establish the need for a BCM Program (and identify the program components) by gaining a clear understanding of your risks and vulnerabilities. This can be through the development of resilience strategies, response, restoration, and recovery plans.
The main objectives of this professional practice are to obtain leadership’s support and funding—then you can start to build the organizational framework and develop the BCM program.
2. Risk Evaluation and Control
Identify the risks/threats and vulnerabilities that are both inherent and acquired which can adversely affect your organization, its resources, or its image. Once identified, threats and vulnerabilities will be assessed as to the likelihood that they would occur and the potential level of impact result.
Your business can then focus on high-probability and high-impact events to identify where controls, mitigations, or management processes are non-existent, weak, or ineffective. This evaluation results in recommendations from the BCM Program for which additional controls, mitigations, or processes should be implemented to increase resiliency from the most commonly occurring and/or highest-impact events.
3. Business Impact Analysis (BIA)
During this step, your organization should identify the likely and potential impacts of events on your business or its processes. Moreso, the criteria that will be used to quantify and qualify such impacts. This includes the following:
- Financial Effect
- Operational Effect
- Customer Effect
- Regulatory Compliance
- Reputational Impacts
The criteria to measure and assess these impacts must be defined and accepted, then used consistently to define each organizational process’s Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The result of this analysis is to identify time-sensitive processes and the requirements to recover them in an acceptable timeframe.
4. Business Continuity Strategies
Use the data collected during Risk Evaluation and BIA to identify available continuity and recovery strategies for your organization’s operations and technology. Recommended strategies must be approved and funded, and must meet both the recovery time (RTO) and recovery point objectives (RPO) identified in the BIA.
You should also perform a cost-benefit analysis on the recommended strategies to align the cost of implementing the strategy against the assets at risk.
5. Emergency Preparedness and Response
Develop and implement your organization’s plan to respond to emergencies—this may impact the safety of employees, visitors, or other assets.
The emergency response plan should document how your business will respond to emergencies in a coordinated, timely, and effective manner to address life safety and stabilization of emergencies until the arrival of trained or external first responders.
6. Business Continuity Plan Development and Implementation
The Business Continuity Plan is a set of documented processes and procedures that will enable your organization to continue or recover time-sensitive processes. This is usually created to allow processes to continue at the minimum level within the timeframe acceptable to the business.
In this phase of the Business Continuity Management Program, the relevant teams design, develop, and implement the approved continuity strategies and document the recovery plans to be used in response to an incident or event.
7. Awareness and Training Programs
A program is developed and implemented to establish and maintain awareness about the Business Continuity Management (BCM) Program and to train your organization’s staff so that they are prepared to respond during an event.
This training program should ensure staff members understand their roles and responsibilities in the event of an emergency or business disruption. The team will also regularly conduct mock exercises to test the effectiveness and readiness of the plan.
8. Business Continuity Plan Exercise, Audit, and Maintenance
To continue to be effective, a Business Continuity Management (BCM) Program must implement a regular recovery exercise schedule to establish confidence in a predictable and repeatable performance. As part of the change management program, the tracking and documentation of these activities evaluate the ongoing state of readiness.
This tracking will allow continuous improvement of your organization’s recovery capabilities and ensure that plans remain current and relevant. An audit process will also validate the plans are complete, accurate, and in compliance with organizational goals and industry standards.
9. Crisis Communications
Define the framework to identify, develop, communicate, and exercise a crisis communications plan. This plan should address how communications will be handled before, during, and after crises. The communications plan is developed collaboratively with your organization’s public information and internal information resources where they exist to ensure consistency of communication.
The plan should address the need for effective and timely communication between the organization and all the stakeholders impacted by an event or involved during the response and recovery efforts.
10. Coordinating with External Agencies
Establish policies and procedures to coordinate response, continuity, and recovery activities with external agencies at the local, regional, and, if necessary, national levels. But don’t forget to prioritize compliance with applicable statutes and regulations.
This also includes establishing a process to obtain mutual assistance support from and provide the same to other organizations when requested.
11. Program Improvement
The program must be evaluated and improved continually to ensure that it remains proactive.
Your organization should monitor industry trends, emerging threats, and the results of its own exercise program to identify potential gaps or other areas that require improvement. Regularly reviewing and updating policies, procedures, plans, and other documentation will ensure that your BCM Program is effective and continues to meet organizational goals.
12. Store, Update, and Distribute Your Plan Regularly
The Business Continuity Plan is a living document that must be regularly reviewed and updated to ensure it remains accurate and relevant. Follow these steps to ensure your plan maintains its effectiveness:
- Ensure all team members have access to the latest version of the plan, including any relevant updates or changes.
- Store the plan in a secure location.
- Test your backup procedures regularly to ensure they are functioning correctly.
- Perform annual reviews and audits to identify any necessary changes or improvements.
- Distribute the plan to all relevant team members, including new employees, and provide training on their roles and responsibilities in case of a disaster.
- Regularly communicate updates and changes to the organization to ensure everyone is aware of their roles and responsibilities in an emergency.
There’s no question that 2020 changed the business world forever. While COVID-19 gave us all a taste of the drastic measures required to adjust to an unexpected crisis, many organizations still do not recognize the need for a BCM program. Your services, your products, your colleagues, and your success are valuable and deserve the investment!
Start Managing the Right Way With Safety Net
Diving into the process of business continuity management is best guided by experienced professionals who are familiar with the intricacies of these twelve steps.
There are courses and certifications available through Disaster Recovery Institute International (DRI)—but because the initial creation of a BCM program is a one-time thing for most organizations, it can be more cost-effective and better use of internal resources to work with a third party. Fortunately, Safety Net provides a “Disaster Recovery Lite” template to their managed service clients. The document will walk you through the information that should be included in the most basic of disaster recovery plans.
This document contains critical operation details and a plan for getting them back online after an event. More extensive planning is available on a project basis—contact us to learn more!