If you didn’t know before, a mainstay of business continuity management is the business continuity plan (BCP), a collection of resources, actions, procedures, and information, designed to prepare organizations to maintain essential functions in the event of a major disruption like the coronavirus pandemic.
After all, it’s the planning effort that ensures critical operations remain available and minimizes major impacts, up to and including business closure. But even the best-laid contingency plans will need an update in this coronavirus moment. What does it take to develop an effective plan?
Well, business continuity planning involves documenting procedures to guide how your organization will respond to and recover from a disruption. Putting together the actual plan usually falls to a governance committee; updating it during a disaster might fall to the Pandemic Response team, though.
In either case, C-suite involvement is critical. Most business continuity governing committees are headed by an executive sponsor. That sponsor is nominally responsible for initiating, approving, auditing, overseeing, and testing the BCP.
Meanwhile, day-to-day management falls to a business continuity coordinator, who might double as the crisis coordinator during a disruption. Depending on the size of the company, that coordinator might have a dedicated staff. Other in-house members of the committee include a senior security officer, the CIO (given the centrality of IT systems to business continuity), and senior representatives from the remaining business units.
Before drafting the BCP, the governance committee will undertake a business impact analysis (BIA), a methodical accounting of business activities and the effect business disruptions would have on those activities. The BIA is intended to help organizations isolate critical business functions in tandem with the processes and resources needed to support them. The process should be dynamic, though.
A flexible, action-oriented BIA is imperative. Sure, firms might have a good feel for the services and products they need to continue delivering in order to avoid severe revenue loss in the event of a major disruption. But it’s not a given that senior managers have a more nuanced understanding of the dependencies that underlie those services, especially in a fast-changing public health event.
After all, a lot goes into moving a product: internal dependencies, like employee availability, corporate assets, and support services, as well as external dependencies, like suppliers – all of which are probably being negatively impacted right now. A good BIA will capture all of those contingencies, then rank the order of priority of services or products for continuous delivery or rapid recovery.
BIA findings then get fed into the BCP proper, which typically covers the resources, services, and activities required to ensure the continuity of critical business functions. BCPs can take different forms. But usually, the following elements are present:
- A list of relevant company, insurance, and supplier contacts.
- Helpful information might include links to the appropriate state and federal regulator, e.g. Emergency Management Australia.
- Relevant standards with which the plan complies, e.g. ISO 22301.
- Organizing objectives and driving principles. The primary objective of your plan is to ensure maximum possible services levels are maintained. Meanwhile, assessing business risk for probability and impact might also be an important principle to document.
- The objectives and principles sections might be part of a longer executive summary, a comprehensive overview of the BCP.
- The contents of the BIA, including a list of likely threats, i.e. building loss, document(s) loss, systems going offline, loss of key staff, etc.
- Scenario planning for the risks you’ve identified. Once a risk is listed, the plan will outline probability and impact of occurrence, likeliest scenario(s) to unfold, business functions affected, actions to take and preventative mitigation strategies, staff responsibilities, as well as operational constraints.
Drafting the BCP isn’t the end of the story, though. Senior management has to still approve the draft, before the process of validating (and updating) the plan can even begin. What else is involved? Download our comprehensive guide to developing an effective business continuity plan to find out.