How to Create an Effective Business Continuity Plan
The cyberattack against Distribute.IT in June 2011 was one of the most devastating to ever occur in Australia.
The attack was so sophisticated and well-coordinated, it damaged the data on four servers. It also wrecked all back-ups, causing about 4,000 websites to be permanently lost. Distribute.IT never recovered from the attack and was forced out of business.
No amount of planning can fully prepare anyone for an attack of this size. But having a business continuity plan (BCP) is your best shot at recovering from a massive incident and moving forward.
Even if you already have a continuity plan, you still need to audit it periodically to verify that it still meets your needs. You also need to test it regularly to ensure it functions as you expect.
Here’s the Lowdown on Business Continuity Plans
A BCP allows you to continue delivering critical products and services to your clients after a disruption of normal operations. By “critical products and services” we mean those that you need to deliver to ensure survival, avoid injury, or meet legal obligations.
A BCP includes plans for fully recovering the organisation’s data, facility, and other assets. It must also identify the resources needed to support business continuity, including the following:
- Financial allocations
- Infrastructure protection
- Legal counsel
To be fully effective, a BCP must be completed before the disruption occurs. This proactive approach also allows you to demonstrate your commitment to stakeholders such as customers, employees, and shareholders.
Additional benefits of a BCP include the identification of critical resources and a general improvement in organisational efficiency.
People who are new to this often think they’re the same thing as disaster recovery plans (DRPs), but it’s as different as night and day.
A BCP is a proactive plan for mitigating the risks associated with the disruption of operations. A DRP is a reactive plan for recovering from a disaster after it has already occurred. A DRP is a part of a BCP that deals specifically with the restoration and safety of critical facilities, personnel, and procedures.
A BCP is important as it ensures they have the information and resources needed to deal with any emergency, which may have a natural or man-made cause.
Man-made disasters may be accidental or intentional. Accidents are events that disrupt essential services such as communications, power and emergency services. These events often include the following:
- Ruptured gas or water mains
- Overloaded power grid
- Internet outage
- Hazardous material spill
Intentional man-made disasters, on the other hand, include hacking and sabotage.
The Anatomy of an Effective Business Continuity Plan
An effective BCP consists of the following phases:
Outline your objectives and goals
This includes the departments that it will cover, the level of detail, expected outcomes and budget. The BCP’s budget should cover all associated costs, including research, materials, and training.
Assemble your squad
Staff members will be split into task-oriented teams that will work closely together during an emergency. Their responsibilities should be clearly outlined to avoid confusion during this period, especially the responsibilities they share with backup team members. All team members will need to provide their emergency contact details.
Conduct a business impact analysis
Evaluate the impact of specific threats for each aspect of your organisation’s operations. This phase can help identify key areas that may need extra resources in an emergency. You need to prioritise the use of resources — this keeps your organisation going even in a chaotic setting.
Plan how to maintain operations
This phase includes developing strategies to overcome any disaster, including prevention, response and recovery.
Prevention strategies are measures that are implemented before the disaster and are intended to prevent damage from occurring in the first place. Response strategies come into play when a disaster affects the business, which include evacuation plans. Recovery strategies are implemented to re-establish normal operations.
Test and train annually
Your business continuity plan needs to be practised and evaluated regularly. Business continuity team members and other key employees should perform specific drills and general simulations.
Schedule regular reviews and updates
Many types of changes can affect a BCP such as general changes in your industry, which are often the result of technological advances. Specific threats such as newly identified security vulnerabilities can also require you to update your BCP.
Periodic reviews ensure your plan remains effective over time, whether they’re an internal audit conducted by your own team or a third-party IT partner, whose outside perspective and experiences you can benefit from.
Disasters are inevitable and unpredictable, whether they’re natural or man-made. The impact they will have depends on the initial damage they cause and the cost of returning to business as usual.
Disasters have the potential to be extremely disruptive, even fatal for a business. With so much at stake, one simply can’t afford to go without a BCP. Think of the cost of having one as an investment.
Keen to get started on developing a business continuity plan? Leave us a note, and we’ll get in touch with you.