Constructing a successful business continuity planReprints
Being prepared is the cornerstone of having a business continuity plan regardless of the size of a company. Ultimately, getting back to taking care of customers as seamlessly as possible is the goal, says disaster preparedness expert Alan Berman, president and CEO of DRI International.
Recently, the world has been bombarded by events that strain the resources necessary to maintain operational capabilities. Natural disasters, cyber attacks, epidemics, and political and military unrest have all captured the world's attention.
But while preparedness demands we consider how to deal with these large-scale events, we also need to focus on events that might not make the headlines: A cable-seeking backhoe disrupts telephone service to a major airline's reservation system; a ruptured water pipe renders a $100 million data center inoperable; a defective ingredient turns a cosmetic into a skin irritant. And the list goes on.
In approaching the creation and implementation of business continuity plans in light of these challenges there are five critical elements to consider:
• Consider the effects, not the causes:
A single disruptive event can be followed by multiple effects. A tsunami, record earthquake and nuclear power plant meltdown occurring over a three-day period would be impossible to anticipate and create in a training scenario. The same can be said when a truck overturns, spilling hazardous waste and destroying an electric transformer.
Business continuity professionals have been trained to deal with a multitude of possibilities, creating plans that focus on the consequences of these incidents. This allows organizations to better prepare for maintaining their viability without trying to predict what the next event will be.
Effects can be classified into four categories:
Loss of facility — Offices, factories, warehouses and other physical structures can become inaccessible or unusable due to floods, fires, chemical contamination, loss of power, condemnation by inspectors and more.
Disruption in operations — Vital resources needed to carry out operations can be interrupted due to labor strikes, supply chain breakdown, mass transit disruption, pandemics and other events.
Technology disruption — Incidents that deny organizations the use of their technology can be caused by hardware malfunction, cyber attack, network failure and software issues, among other things.
Organizational issues — Issues that prevent organizations from fulfilling their obligations such as legal, regulatory, intellectual property, bankruptcy and financial malfeasance, among others.
• Data backup:
While an organization can always move to a new office, replace equipment and reconnect communications, the loss of information may be irreversible.
With the advent of cloud technology and automated backups, the solutions to protecting information are available to everyone. Small businesses can keep all their information in an easily accessible and inexpensive environment. As the data resides remotely in the cloud and is available on a local drive simultaneously, the concern for backups is removed. There are other advantages to this method of storage, such as data sharing, availability of multiple devices and easier collaboration.
• Relocation site requirements:
Moving an operation to offset the loss or inaccessibility of a site affected by a disruption requires insightful planning. Not only must one be concerned with providing adequate space, equipment and security, but logistics, policy and even creature comforts may become obstacles. Consider these actual cases:
Logistics — A major financial institution has a recovery site with redundant power and communications feed and 24-hour surveillance and security. When 9/11 rendered their main site in lower Manhattan unusable, the company immediately activated its recovery site and notified its personnel to report to work there. It sounds relatively simple. But what they didn't anticipate was that 95% of their employees relied on mass transit to get to work, and mass transit service was disrupted. It took a week for alternative transportation to be put in place, and the new arrangements caused employee commuting time to double and triple, resulting in poor morale and quality of work.
When considering a recovery site, organizations should consider how it will change travel arrangements for employees.
Policy — A major consumer products corporation had located its customer service and accounts receivable departments in a midsize Southern city. Its recovery site was located 60 miles away. After an ice storm closed down the main facility, the staff was ordered to report to the recovery site. However, the company's human resources policy stated that if the main facility was closed, employees did not have to report to work and would be paid for their time as though they had reported to work as usual. When only 20% of the staff reported to the recovery site, the company struggled to operate with this reduced staff and its team of executives.
Organizations must consider company policy and contractual stipulations, including union agreements, when determining recovery strategies and ensure that there is alignment.
Creature comforts — A securities trading organization had located its recovery site some distance from its facility in Manhattan. After their office building was destroyed in 9/11, they all assembled at the recovery site ready for business as usual. But the operation almost ground to a halt when their morning routine was rudely interrupted: no New York City-style bagels in the building's cafeteria! The problem was solved several hours later when, after three attempts, a suitable bagel supplier was finally found.
Consider taking into account special requirements when procuring a recovery site.
• Marketing advantage:
Whether an organization is a major end-product producer or a small vendor in the supply chain, customers are concerned with their ability to meet demand in a timely manner. New regulations, especially those that apply to banking and health care, not only require companies to perform due diligence on their vendors, but are explicit in requiring that suppliers have robust business continuity programs in place. In fact, some regulations require suppliers to participate in testing plans to ensure that end-to-end recovery can be achieved. Requests for proposals are now asking explicitly for the ability to review supplier plans.
Aside from legal compliance, organizations with robust business continuity plans have a better chance of avoiding disruption to their customers, which can strengthen customer relationships and loyalty.
• Optimize insurance coverage:
A key component that will help organizations maintain their viability in the face of disruptive events is the ability to transfer the risk from the organization to another party through insurance.
Business continuity planning can help identify the financial consequences of an outage and the cost of resources necessary to get an organization back and running. This information is vital to understanding two specific types of insurance:
Business interruption insurance provides protection for the loss of profits and continuing fixed expenses resulting from a break in commercial activities due to the occurrence of an insured peril.
Extra expense insurance pays for the extra expense of maintaining operations after an accident to an insured item until normal operations can be restored.
This kind of safety net is reassuring in planning for the future of an organization.
Creating a holistic business continuity plan requires a comprehensive understanding of potential organizational risks and, equally important, how to help organizations prepare for and recover from business threats of every kind. Make sure your business continuity professionals have achieved the highest possible levels of certification from a credible organization.
Alan Berman is president and CEO of DRI International, a nonprofit organization that helps companies prepare for and recover from disasters. He has over 25 years of experience in risk management, business continuity and disaster recovery. He can be reached at firstname.lastname@example.org and 866-542-3744.