Just how important is BCM Business Continuity Management, and what goes into it?
Let’s imagine two hot new tech companies operate in the same city: TweedleDee and TweedleDum. On paper, the companies look nearly identical: similar products, similar number of employees, similar offices. But after a storm floods the city, TweedleDum is shuttered, while TweedleDee somehow continues to operate without even flinching. Why?
As it turns out, there was one big difference between the two companies: one had a solid business continuity plan, and the other did not.
TweedleDee had mirrored all of its essential operations and replicated data off-site, so it was able to seamlessly move the business to a backup location. Meanwhile, the employees at TweedleDum were left twiddling their fingers. The company never recovered.
This scenario may be fictional, but many businesses experience the devastating reality of such a disaster every year. According to FEMA, 25 percent of businesses never reopen their doors after a disaster.
If your business doesn’t take BCM Business Continuity Management seriously, then it’s only a matter of time before a disaster wreaks havoc on your operations.
Why take the risk? Here are the 11 essential components to successful continuity planning.
1) The Business Continuity Plan (BCP)
The Business Continuity Plan is a written document that outlines every aspect of the company’s disaster preparedness, response and recovery. It is the fundamental piece of BCM Business Continuity Management. It dictates all the steps that should be taken during a critical event and also outlines the preventative measures for mitigating the risks of disaster.
A good BCP should be able to answer the following questions:
- What is the objective of the plan? Why does the company need it?
- What constitutes a disaster that would activate the plan?
- Who does what during a disaster?
- How will personnel communicate? Who contacts whom?
- What is the likelihood of various types of disasters (natural disasters, cyberattacks, human error and so on)?
- What is the business impact of those events?
- What technologies are being leveraged to ensure continuity?
- What gaps need to be filled? Where are weaknesses, and how can they be corrected?
When a BCP is doing its job, there is no confusion during a disaster. Executives, stakeholders and personnel know what to do and how to do it. And if they don’t, they can easily access the plan and follow the steps as written.
A business continuity document is not static. As we’ll cover below, the plan needs to be frequently reviewed and updated to ensure all the information is accurate and up to date.
2) Recovery Teams
Your continuity planning is nothing without a team to manage it. Generally referred to as a recovery team, these are the personnel who will play the most important roles in both planning and carrying out your emergency procedures.
The responsibilities of your recovery team will include:
- Writing and updating the BCP
- Identifying new risks and/or preventative solutions
- Training personnel on disaster response actions
- Coordinating interdepartmental communication
- Activating the BCP when a situation warrants it
The size of a recovery team generally depends on the size of the business or the scope of the BCP. Ideally the team will consist not only of IT personnel, but also employees from various business-critical departments. These contacts do not necessarily have to be department managers. However, they should be well-versed in the managerial roles of their respective departments and should be able to make important decisions without the help of supervisors.
3) Risk Assessment
One of the most important tasks in managing your BCP is assessing the company’s unique risks. This risk assessment is critical in determining the company’s vulnerabilities and how they relate to a potential disruption in operations.
Each business has its own risks. You may find that your company is more at risk of certain types of disasters than others. This could be due to a number of reasons:
- Location: Proximity to flood-prone areas, earthquake fault lines, known terrorist targets, etc.
- Nature of business: Some businesses may be more likely to be targets of cyberattacks, due to the sensitivity/value of their data.
- Structural or site-specific vulnerabilities: Known issues with older buildings, electrical fire risks, power outages, industrial incidents, etc.
- Chance of human-caused events: This could be anything from internal errors to external vandalism or areas known for rioting.
For one business, it may be more devastating to lose access to a data center, while for another, it may be more disruptive if employees got stuck in traffic due to a bridge closure.
By performing a thorough risk assessment, you’ll be able to identity the most likely disasters and the damage they could cause.
4) Impact Analysis
A business impact analysis is the secondary component of the risk assessment. Once you have identified the unique risks to your organization, the next step is determining how each of those events will affect the business. This analysis is critical for understanding the true impact of each situation so that planning and resources can be prioritized appropriately.
For most businesses, determining the impact of a disaster is chiefly a financial calculation. However, there are several things to consider as part of this calculation:
- What is the direct operational impact of the event? What are the consequences?
- Which operations will be affected and how?
- How long will the outage last?
- How many employees will be idled by the event? For how long?
- Will revenue be affected?
- What are the estimated costs for recovery?
Each of these answers helps to calculate the true cost of the disaster, which you may prefer to document in terms of hourly and daily losses. Each type of disaster will have a different financial impact. This will allow you to prioritize around the most disruptive events to ensure that enough systems are in place to prevent, mitigate and respond to those disruptions.
In your business continuity plan, you will typically want to categorize the impact of each risk on a scale of 1 to 5. This makes it easier to gauge the severity from a high-level standpoint, particularly when comparing it against the likelihood of each event.
Here is a very basic template for how you might structure this in your BCP:
5) Disaster Response Procedures
Once a risk assessment has been completed, it is easier to define the specific steps that need to be taken in the event of a disaster. These steps will generally be different for each type of event, though some processes will overlap.
Outlining these procedures is essential for personnel to know what to do when disaster strikes. Procedures should include even the most seemingly obvious steps, like calling 9-1-1 in a fire, as well as the more complex processes that ensure business continuity, like recovering data backups or moving business-critical employees to a back-up site.
The steps should not be too general. A list of DR procedures might include actions like:
- Notify Recovery Team leads of scope of event, as well as senior management
- Diagnose affected devices and servers, if accessible
- Contact appropriate vendors (i.e. due to an application outage or any event affecting third-party systems or recovery tools. List the primary points of contact, with emergency communication methods)
- Retrieve emergency funds (where, how and who)
- Establish transportation for personnel to/from backup site
- Notify insurance provider(s)
These steps are not specific to one disaster. But they are examples of the 360-degree approach that is needed to eliminate confusion and get operations back up and running.
Another fundamental part of managing continuity planning is identifying and implementing the technologies that make continuity possible. That includes all the tech, hardware, software and configurations for both preventing a disaster and recovering from one.
Your BCM technology includes things like:
- Data backup and recovery solutions
- Cloud storage
- Anti-malware & anti-virus solutions
- Firewall settings
- Network user permissions
- Internal or external data centers
Basically any part of your IT infrastructure is applicable here if it will be needed to restore operations after a disaster.
The BCP writers and recovery teams are tasked with identifying the best technology solutions for business continuity and making sure that existing systems are properly maintained, tested and up to date.
7) Backup Locations and Physical Assets
If the company’s office, warehouse or manufacturing plant is suddenly destroyed, where does the business go?
In an ideal world, you’ll already have a backup location ready to go, along with backup equipment, so that business-critical personnel can get back to work immediately.
Managing your continuity planning thus involves finding, securing and identifying these secondary spaces and assets:
- Locations of backup facilities
- Contact persons in charge of managing those locations
- Inventory of emergency backup equipment
- Inventory of all physical assets located at the disaster site (for both insurance and replacement purposes)
Having backup locations may be feasible for enterprise companies, but not all small businesses can afford to lease a second office that just sits empty, waiting for disaster to strike. Still, companies can prepare for such a scenario by researching possible locations and partnering with real estate professionals who could help to secure a spot at a moment’s notice.
Like all of BCM, this is an evolving, constantly moving process. When one possible back-up location becomes unavailable, another must be selected. And since the backup location will not have any infrastructure ready to go, recovery planners will need to outline the fastest, most efficient steps for moving operations to the new site when needed.
8) Lines of Communication
Without the ability to communicate in an emergency, recovery teams will not be able to do their jobs. Restoring operations will take far longer and confusion will mount.
This is why it is critical to determine how personnel will reach each other in a disaster, especially if the normal lines of communication have been broken.
Consider things like:
- Emergency communication methods
- Calling trees to identify who contacts whom
- Contact information for all personnel
- Emergency backup mobile phones for select personnel
- External websites or call-in number for company announcements
9) Testing & Mock Recovery
Companies should put their BCPs to the test on a regular basis. This can involve everything from a fire drill to a mock recovery of lost data.
The purpose of testing is to ensure that the procedures outlined in the plan are effective. If it becomes clear that nobody knows what to do during a mock event, or systems aren’t working like they’re designed, then recovery teams need to go back to the drawing board.
Schedule tests on a periodic basis and use the results to identify both strengths and weaknesses in your continuity planning.
10) Periodic Review and Recommendations
Similar to testing, another important component of business continuity management is continually reevaluating the existing planning and systems.
When developing a BCP, businesses will naturally identify gaps in their planning. These weaknesses should be documented along with action steps for resolving them. Those action steps could involve anything from creating new recovery protocols to implementing strong data backup systems. But the fundamental task is making sure your planning is reviewed on a regular basis.
When reevaluating a BCP, here are some questions to keep in mind:
- Are recovery protocols still relevant and up to date?
- Could recovery procedures be even faster and more efficient?
- Do additional systems or technologies need to be implemented?
- Which areas of risk require additional planning?
- Are there any new risks to operations that were not applicable or identified when the BCP was created?
- Has the potential impact of those events changed? Are they more or less severe?
If changes are recommended, they should be clearly communicated with the reasons that warrant them. This is especially important if stakeholders will need to review an assessment before making additional technology investments.
For example, maybe your BCP review uncovers that your existing BCDR system is not adequate for newer threats like ransomware. Your assessment should make clear that the current implementation is creating a major risk for significant data loss and slow recovery, whereas a newer system could vastly improve backup frequency, recovery speed and overall continuity.
11) Plan Updating
It should be clear by now that all of the components listed above are constantly changing. Technologies become outdated. Personnel leave the company. New risks emerge. Your BCP might be up to date today, but chances are it will be outdated in a week from now.
As such, every company’s continuity planning must be constantly evaluated and updated:
- Determine how often the BCP should be reviewed and by whom
- Schedule periodic meetings for recovery team
- Perform risk assessment at least yearly
- Always include the most recent “date updated” in plan documents
Frequently Asked Questions
1) What is business continuity management?
Business continuity management is the process of managing strategies that enable a business to keep running during an operational disruption. Management can include documentation, such as the creation of a business continuity plan, and the formation of disaster recovery protocols. It can also include the management of business continuity technologies, such as data backup systems. Business continuity managers are tasked with assessing a business’s unique risks, analyzing the impact of different operational disruptions and applying an effective strategy for disaster prevention and recovery.
2) What are the 4 main areas of business continuity management?
The four main areas of business continuity management are 1) disaster prevention, 2) disaster preparedness, 3) disaster response and 4) disaster recovery. These 4 categories are sometimes also referred to as “disaster management.” Each category is comprised of protocols and systems designed to help an organization maintain continuity by preventing and mitigating disasters, preparing for the most likely disruptions, appropriately responding to a disaster situation and executing a full recovery. All of these protocols should be documented in a business continuity plan.
3) What’s the difference between BCM and BCP?
A business continuity plan (BCP) is a central component of business continuity management (BCM). BCM refers to the overall management of continuity strategies and implementations, whereas BCP refers specifically to the documentation.
4) Which technologies are business continuity management?
Essentially any form of technology that helps a business maintain operations can be considered part of business continuity management. Traditionally, a business continuity and disaster recovery (BCDR) solution is viewed as the most important technology, as it enables businesses to recover lost data, applications and operating systems. However, a wide range of other tech plays a role in BCM, such as antivirus software, network firewalls and backup power generators, just to name a few.
Every business needs to consider how it will prepare for an operational disruption. A lack of planning is a recipe for disaster. Because if a business cannot recover quickly enough, it might never recover at all. The ongoing process of business continuity management helps to ensure that an organization is prepared for an adverse event and has systems in place to keep the business running.
Get More Information
For more information on business continuity solutions for small businesses, contact our experts at Invenio IT. Request a free demo of robust BCDR solutions from Datto, or contact us directly by calling (646) 395-1170 or emailing success@invenioIT.com