With the increase in climate change impacts, such as flooding and power outages no one wants to be “closed” losing clients, reputation and revenue. Many organizations understand that it’s important to be prepared for unforeseen business disruptions, yet are unsure how to develop a plan that will carry them over the finish line.
A policy statement should exist that clearly assigns responsibility for the Business Continuity Management Program governance at a senior level, and the responsibilities for preparing the plans to assure that critical processes and services are maintained. If the job descriptions don’t exist, the work won’t get done.
There are three key supports to any business continuity plan:
- technology; and
Tenants expect their facilities manager to have plans in place to protect their assets and to continue services which they may deem critical at the time of the disruptive incident. Once the emergency management phase is over, and people, the environment, and property are made safe, the business continuity process kicks in with a focus on the most critical and time sensitive processes and services.
With only 9% of small business reporting that they have continuity plans, if a tenant population is largely SMB, the facilities manager can expect a lot of confusion at the time of the incident and should be well prepared with a leadership focused communications plan. Advance communications to the tenants to help them understand the scope of your plan, how and when communications with them will take place, and the fact that they are responsible for developing their own plans can go a long way to shorten recovery times.
It’s critical to right size the effort and keep the plans simple enough to be understood by those responsible for carrying them out without creating a maintenance nightmare. Basic checklists of the steps to be followed, standardized damage assessment forms, clear instructions for communications protocols and associated timing are key ingredients. Contact list details should be maintained separately so the plan doesn’t become a phone book with names and phone number interspersed throughout the documentation.
Performing both and internal and external risk assessment assists in developing the appropriate plan content. This is not to suggest that a plan should be developed for each and every risk scenario identified, but to ensure that one all hazards checklist is sufficient in scope to address various sizes and shapes of business interruption. Ensuring that the responsible executives are aware of the risks, potential mitigation strategies, or that they chose to accept the risk is an important step. Many tenants may not understand that their computer room does not have fail over emergency generator power, for example. They know the building has a generator and simply assume that means they will have power in an outage.
Prioritizing business processes and services is an important step in plan development because it helps generate an order of recovery. Those priorities and timelines are also key to development of the information technology recovery plan (IT Disaster Recovery Plan) that supports the Business Continuity Plan (BCP). The BCP documents how the processes and services will be recovered using alternate space, other supporting resources, or manual work arounds. The IT DRP documents the procedures for recovering the technical infrastructure and environment.
Plan activation requirements are difficult to clearly define as every incident varies in size and scope. Pre-activation of plans may take place in advance of severe weather, for example, so work can be transferred to alternate locations before the disruption occurs. Simple decision trees can assist those responsible rather than trying to grade the level of disaster.
Carrying out regular exercises of the plan helps to keep it fresh and content updated. Testing the plan at the time of the incident should be avoided, as there may be many gaps which haven’t been addressed.
With a bewildering array of tools and templates available on the internet, it’s often hard to understand where to start, or how to apply the downloaded documents. There are some degrees that approach and methodology can be deployed in multiple environments. However, that must be tempered with the fact that every environment, organization, business and group of people is totally unique.
Consultants can use an existing framework that they may have successfully deployed in the past to facilitate various BCP implementations. However, the unique set of priorities considered by one organization may not fit the next group the consultant works with.
The consultant may have a cross business viewpoint which can help their customer understand how to model their business impact analysis and process prioritization; however BCP is not a “one size fits all” exercise. Using an experienced consultant can result in spending a little to save a lot. The most important result should be knowledge transfer as the plan belongs to the organization preparing it at the end of the day.
There are workshops available for small business, as well as courses offered by the Disaster Recovery Institute Canada.
Help is out there to get the plan done and be better prepared; when clients ask about the BCP, be ready to say it’s in place.
Ann Wyganowski is a Master Business Continuity Professional (MBCP), and Certified Business Resilience Manager (CBRM) and Member of the Business Continuity Institute (MBCI), all of which are internationally recognized designations in the field. Ann sits on various emergency management and business continuity boards as a volunteer and is the Treasurer of the Disaster Recovery Institute Canada. She is a recognized senior consultant in the industry with a prosperous consulting practice. You can contact her at firstname.lastname@example.org or visit bcphelp.com.