9 Crucial Parts of BCM Business Continuity Management
Just how important is BCM Business Continuity Management, and what goes into it?
Let’s imagine two hot new tech companies operate in the same city: TweedleDee and TweedleDum. On paper, the companies look nearly identical: similar products, similar number of employees, similar offices. But after a storm floods the city, TweedleDum is shuttered, while TweedleDee somehow continues to operate without even flinching. Why?
As it turns out, there was one big difference between the two companies: one had a solid business continuity plan, and the other did not.
TweedleDee had mirrored all of its essential operations and replicated data off-site, so it was able to seamlessly move the business to a backup location. Meanwhile, the employees at TweedleDum were left twiddling their fingers. The company never recovered.
This scenario may be fictional, but many businesses experience the devastating reality of such a disaster every year. According to FEMA, 40 percent of businesses never reopen their doors after a disaster, and among those that do, roughly 70 percent close within two years.
If your business doesn’t take BCM Business Continuity Management seriously, then it’s only a matter of time before a disaster wreaks havoc on your operations.
Why take the risk? Here are the 9 essential components to successful continuity planning.
1) The Business Continuity Plan (BCP)
The Business Continuity Plan is a written document that outlines every aspect of the company’s disaster preparedness, response and recovery. It is the fundamental piece of BCM Business Continuity Management. It dictates all the steps that should be taken during a critical event and also outlines the preventative measures for mitigating the risks of disaster.
A good BCP should be able to answer the following questions:
- What is the objective of the plan? Why does the company need it?
- What constitutes a disaster that would activate the plan?
- Who does what during a disaster?
- How will personnel communicate? Who contacts whom?
- What is the likelihood of various types of disasters (natural disasters, cyberattacks, human error and so on)?
- What is the business impact of those events?
- What technologies are being leveraged to ensure continuity?
- What gaps need to be filled? Where are weaknesses, and how can they be corrected?
When a BCP is doing its job, there is no confusion during a disaster. Executives, stakeholders and personnel know what to do and how to do it. And if they don’t, they can easily access the plan and follow the steps as written.
A business continuity document is not static. As we’ll cover below, the plan needs to be frequently reviewed and updated to ensure all the information is accurate and up to date.
2) Recovery Teams
Your continuity planning is nothing without a team to manage it. Generally referred to as a recovery team, these are the personnel who will play the most important roles in both planning and carrying out your emergency procedures.
The responsibilities of your recovery team will include:
- Writing and updating the BCP
- Identifying new risks and/or preventative solutions
- Training personnel on disaster response actions
- Coordinating interdepartmental communication
- Activating the BCP when a situation warrants it
The size of a recovery team generally depends on the size of the business or the scope of the BCP. Ideally the team will consist not only of IT personnel, but also employees from various business-critical departments. These contacts do not necessarily have to be department managers. However, they should be well-versed in the managerial roles of their respective departments and should be able to make important decisions without the help of supervisors.
3) Risk Assessment
One of the most important tasks in managing your BCP is assessing the company’s unique risks. This risk assessment is critical in determining the company’s vulnerabilities and how they relate to a potential disruption in operations.
Each business has its own risks. You may find that your company is more at risk of certain types of disasters than others. This could be due to a number of reasons:
- Location: Proximity to flood-prone areas, earthquake fault lines, known terrorist targets, etc.
- Nature of business: Some businesses may be more likely to be targets of cyberattacks, due to the sensitivity/value of their data.
- Structural or site-specific vulnerabilities: Known issues with older buildings, electrical fire risks, power outages, industrial incidents, etc.
- Chance of human-caused events: This could be anything from internal errors to external vandalism or areas known for rioting.
For one business, it may be more devastating to lose access to a data center, while for another, it may be more disruptive if employees got stuck in traffic due to a bridge closure.
By performing a thorough risk assessment, you’ll be able to identity the most likely disasters and the damage they could cause.
4) Disaster Response Procedures
Once a risk assessment has been completed, it is easier to define the specific steps that need to be taken in the event of a disaster. These steps will generally be different for each type of event, though some processes will overlap.
Outlining these procedures is essential for personnel to know what to do when disaster strikes. Procedures should include even the most seemingly obvious steps, like calling 9-1-1 in a fire, as well as the more complex processes that ensure business continuity, like recovering data backups or moving business-critical employees to a back-up site.
The steps should not be too general. A list of DR procedures might include actions like:
- Notify Recovery Team leads of scope of event, as well as senior management
- Diagnose affected devices and servers, if accessible
- Contact appropriate vendors (i.e. due to an application outage or any event affecting third-party systems or recovery tools. List the primary points of contact, with emergency communication methods)
- Retrieve emergency funds (where, how and who)
- Establish transportation for personnel to/from backup site
- Notify insurance provider(s)
These steps are not specific to one disaster. But they are examples of the 360-degree approach that is needed to eliminate confusion and get operations back up and running.
Another fundamental part of managing continuity planning is identifying and implementing the technologies that make continuity possible. That includes all the tech, hardware, software and configurations for both preventing a disaster and recovering from one.
Your BCM technology includes things like:
- Data backup and recovery solutions
- Cloud storage
- Anti-malware & anti-virus solutions
- Firewall settings
- Network user permissions
- Internal or external data centers
Basically any part of your IT infrastructure is applicable here if it will be needed to restore operations after a disaster.
The BCP writers and recovery teams are tasked with identifying the best technology solutions for business continuity and making sure that existing systems are properly maintained, tested and up to date.
6) Backup Locations and Physical Assets
If the company’s office, warehouse or manufacturing plant is suddenly destroyed, where does the business go?
In an ideal world, you’ll already have a backup location ready to go, along with backup equipment, so that business-critical personnel can get back to work immediately.
Managing your continuity planning thus involves finding, securing and identifying these secondary spaces and assets:
- Locations of backup facilities
- Contact persons in charge of managing those locations
- Inventory of emergency backup equipment
- Inventory of all physical assets located at the disaster site (for both insurance and replacement purposes)
Having backup locations may be feasible for enterprise companies, but not all small businesses can afford to lease a second office that just sits empty, waiting for disaster to strike. Still, companies can prepare for such a scenario by researching possible locations and partnering with real estate professionals who could help to secure a spot at a moment’s notice.
Like all of BCM, this is an evolving, constantly moving process. When one possible back-up location becomes unavailable, another must be selected. And since the backup location will not have any infrastructure ready to go, recovery planners will need to outline the fastest, most efficient steps for moving operations to the new site when needed.
7) Lines of Communication
Without the ability to communicate in an emergency, recovery teams will not be able to do their jobs. Restoring operations will take far longer and confusion will mount.
This is why it is critical to determine how personnel will reach each other in a disaster, especially if the normal lines of communication have been broken.
Consider things like:
- Emergency communication methods
- Calling trees to identify who contacts whom
- Contact information for all personnel
- Emergency backup mobile phones for select personnel
- External websites or call-in number for company announcements
8) Testing & Mock Recovery
Companies should put their BCPs to the test on a regular basis. This can involve everything from a fire drill to a mock recovery of lost data.
The purpose of testing is to ensure that the procedures outlined in the plan are effective. If it becomes clear that nobody knows what to do during a mock event, or systems aren’t working like they’re designed, then recovery teams need to go back to the drawing board.
Schedule tests on a periodic basis and use the results to identify both strengths and weaknesses in your continuity planning.
9) Plan Updating
It should be clear by now that all of the components listed above are constantly changing. Technologies become outdated. Personnel leave the company. New risks emerge. Your BCP might be up to date today, but chances are it will be outdated in a week from now.
As such, every company’s continuity planning must be constantly evaluated and updated:
- Determine how often the BCP should be reviewed and by whom
- Schedule periodic meetings for recovery team
- Perform risk assessment at least yearly
- Always include the most recent “date updated” in plan documents
Get More Information
For more information on business continuity solutions for small businesses, contact our experts at Invenio IT. Contact us at (646) 395-1170 or email [email protected].