If you live in Kansas, it’s a safe bet that you have a plan in place for what to do in case of a tornado. Schools in California regularly run earthquake drills. In the military, if a commanding officer is injured or otherwise incapacitated, they have a long-standing plan in place to immediately transfer command to the next highest ranking officer, and everyone is very clear on exactly who that is.
Unfortunately, most businesses are not as well prepared as schoolchildren or the military. Emergencies and crises happen every day, and often without warning. This is why having a Business Continuity Plan (BCP) in place is so important.
What is a Business Continuity Plan and Why Should You Have One?
A Business Continuity Plan (BCP) is a plan detailing how all stakeholders and employees should act or respond in the event of a wide range of crises. Businesses today are vulnerable to a wider range of attacks than before. Digital crimes such as being hacked or attacked with malware or ransomware, the death of a business partner, a critical employee becoming sick or injured, natural disaster, scandal, theft, or even threats to a supply line, or simple human error are all events that can put a business seriously at risk.
The more you plan ahead for these events, the more likely you are to sail through them unscathed. Here are four steps to creating a comprehensive BCP for your business.
1. Conduct a Business Impact Analysis (BIA)
Diverse businesses are going to be at higher risk from different threats. A personal scandal may rock a large corporation but have much less impact on small business. An online retail business may need to protect both its inventory and its data, while an app-driven service business may need to protect its data and delivery means above all else. A business impact analysis will tell you exactly which are the highest risks.
A BIA will identify the top threats to your business and show you where you need to put the majority of your efforts. This doesn’t mean that you don’t also need to plan for the unexpected, but some threats are going to be more catastrophic to some businesses than others.
2. Create a Continuity Plan That Addresses Your Biggest Threats
A detailed BCP needs to address several critical factors, such as who is responsible for what in the event of a crisis or how communication is to be handled. In some cases, you may want to consult an attorney to ensure that you have all of the appropriate documentation necessary to carry out certain aspects of your BCP. These can include situations such as the death of a partner or board member or even what to do if they are no longer in possession of their faculties. Some other points you might want to address in your plan are:
- Assigned roles and responsibilities
- Who to contact in order of importance
- Alternate lines of communication
- Immediate incident response
- Recovery plan
- Resuming activities from a temporary location
3. Practice and Test
You can’t know how well your BCP works unless you test it out. You can start by simply gathering together and verbally working through what each person should do in the event of a different type of crisis. Once you have addressed any holes or issues with your plan at that stage, you can move on to live testing.
In some cases, you may warn employees in advance that it is only a drill, while in others you may need to determine how well they respond when they don’t know it’s a drill. The first time you run a drill of any kind, it is a good bet that chaos will ensue. No matter how great your plan is on paper, execution is a whole different story, which is exactly why you run drills. As great as verbally walking through the plan may be, it is only in “live testing” that you can determine how well some people will respond in a genuine threat or crisis.
4. Learn and Improve
When running drills, it is a good idea to go in already expecting problems, mistakes, and issues. That is the whole point of running drills in the first place. It is far better to have those mistakes made in practice situations than in an actual crisis. Mistakes in practice can be accounted for and corrected. For instance, you may discover that only one person in the office has the key to a critical room or area, while in other cases you may discover too many people have the password to a vital system or access to sensitive data.
One of the most difficult challenges for most businesses to overcome is making sure that important access is restricted on a regular basis, while also ensuring enough personnel have or can gain access in a crisis. Seeing what mistakes are made in practice is vital to correcting them in order to be ready for an actual emergency.
A BCP should never be set in stone but should be constantly evolving as your business evolves. It is important to review it annually at the very least, and quarterly if possible. It is also vital to review your BCP any time you have a personnel change of any kind. You don’t want to feel prepared for a crisis only to realize that the person you prepared for that crisis with is no longer an employee when the crisis actually hits.