Business Continuity Plan
What is a Business Continuity Plan?
The business continuity plan (BCP) is an overarching strategy describing how the business will continue to operate in the event of a local disruption due to natural or man-made disasters.
Business continuity planning is an important activity that ensures consideration is given to how and where people would work to carry out the business, how IT and logistics operations would continue and how business operations would be normalized when possible.
Why is a Business Continuity Plan Important?
Terrorism (both domestic and international), natural and weather disasters, fire, and even pandemics can interrupt business operations locally or globally, and businesses need to be prepared to deal with all of them. Disruptions are rarely planned and can impact a single building, an entire city or region or global, as in the case of a pandemic. They can even include more minor problems like loss of power to a data centre or loss of internet or telephone services to an area. While businesses can absorb some level of disruption for a period of time, they need to have plans in place for continuing or risk negative impacts that can lead to going out of business entirely.
Business continuity planning exercises are important because they enable the business to describe and plan for disasters of every type and size, creating a response that can be carried out efficiently should disaster strike. Business continuity planning has also become easier as operations migrate to cloud environments as these make it possible to absorb many disruptions with far less effort than before.
Business continuity planning includes two levels of deliverables: a business continuity plan summary which provides basic information on business continuity plan for different levels of disaster and the detailed, step-by-step plan laying out the actions to be taken. The business continuity plan summary should also include a list of business services and the speed with which they must be recovered, including areas like technology, manufacturing, sales and accounting.
Without such planning, the business is forced into a reactive recovery, which takes longer to execute and is more costly than a well-thought-out business continuity plan. Another reason business continuity planning is important is that business operations can be designed and carried out to make them more agile in the face of disaster. In a VUCA world (volatile, uncertain, complex and ambiguous), the only thing that’s certain is uncertainty, and business agility provides a competitive advantage.
Certainly, from an IT perspective, using a virtual data centre approach where the operational load is spread across several data centres enables automated failover in the event services are disrupted in one area/region. Distributing manufacturing services is a similar approach, and both might be one possible outcome of business continuity planning.
What Does a Business Continuity Plan Include?
Business continuity plans should enable every aspect of the business and can be built by a core team of business stakeholders that includes executive management, technology teams and representatives of core business functions. This ensures that all aspects of the business are considered. It should include the following areas:
- Business continuity plan objectives
- Continuity scenarios covered by the plan and risk assessments for them
- Roles and responsibilities
- Documentation for actions to be taken:
- Making the call to invoke the business continuity plan
- Reporting issues to local officials, with phone numbers/websites
- Management and key staff members’ contact information
- Data recovery plans and the IT business continuity plan
- Business and operational recovery plan
- Return to normal operations procedures
The business continuity planning process is heavily dependent on the types of scenarios it includes and the preparations needed to recover should they occur. For example, understanding the potential scenarios and recovery options available to address them makes building the plan easier.
- Data centre down due to physical damage or power/communication outages:
- Scenario 1: Cloud environment, multiple data centres
- Response Plan: Take no action. Allow the automatic failover and accept the risk of lowered performance.
- Scenario 2: No failover data centre
- Response Plan: Determine how long the business can operate vs expected duration and decide to invoke the IT business continuity plan.
- HQ inaccessible or damaged
- Scenario 1: No other buildings locally
- Response Plan: Move to a work from home (WFH) model until HQ is accessible
- Scenario 2: Limited space available in other campus buildings
- Response Plan: Move departments that must work on-site to other buildings; other employees work from home
Another aspect of the business continuity planning process is understanding available resources for both business recovery and IT recovery. As a result of the global pandemic, companies now realize they can be very effective in situations where large portions of their staff work from home. But manufacturing facilities and other areas that require physical facilities require a different business continuity plan that may involve standby sites known as hot-sites or cold-sites that could be brought online if needed. This has financial drawbacks since these sites need to be paid for annually even if never used and business continuity insurance only pays for expenses incurred because of declaring a disaster, not costs associated with backup sites.
This is where laying out the company’s business continuity plan can be helpful. Many organizations have moved infrastructure services to public cloud providers to lower operational costs while locating services in redundant public cloud data centres. This changes their response. In many cases, the public cloud provider will offer some level of redundancy to protect their own business, and even if they don’t, the company’s redundant design moves them into a scenario where their IT business continuity plan is simply to do nothing: allow the virtual cloud environment to protect the business fully.
Similar approaches can be taken with manufacturing facilities or shipping warehouses by moving out of large facilities into multiple smaller facilities. While it may seem like this is not business continuity planning, the natural move into more agile or resilient operating models can be a legitimate outcome of some organizations’ business continuity plan objectives, particularly if one of the objectives is to achieve operations that a localized disaster cannot impact.
When the business operation is less agile, the steps of building a business continuity plan are more critical. This plan should document all steps needed from how the call is made and who makes it, to the ways in which employees are expected to call in and list themselves as safe, and finally to how the business will become operational in another location if needed. The business continuity plan should also include the steps for returning to the primary location and the order in which they are achieved.
Let us Solve your IAM Challenges
Let our team of IT professionals implement robust IAM policies and procedures for your organization.
Steps Involved in the Business Continuity Plan
Business continuance plans aren’t complicated to build if the organization is willing to take the time to work out each aspect of the plan. There are a clear set of steps to be taken:
Strategy & Planning
Vision and strategy should always start any planning process. For business continuity planning, the strategy step should include the following areas:
Define disaster scenarios to be included in the plan and their scale/scope
Identify the scale of disaster scenarios to be covered by the plan for business and IT operations. For example, some organizations include minor disruptions like a power failure in a data centre or HQ building, while others only address building-wide or regional issues. Similarly, most organizations failed to plan for pandemic situations and scrambled in 2020.
Scenarios to be covered should include a description of the type of disaster, for example, a weather scenario that takes out services in an entire region and destroys some buildings to minor issues like damage to an office building or data centre.
Business continuance plans should also be developed for situations of global impact, like a pandemic or situations caused by terrorism and government instability.
Scenarios should be listed in order of scale, and a decision should be made regarding which ones the organization will include in its initial business continuity plan. The plan can be expanded over time to include as many as desired.
Perform a risk assessment
The risk assessment at this level should be documented for each scenario and should include the likelihood and the business impact if that risk should occur. Every area of the business should be included.
As this level of planning is performed, it will be clear that some scenarios won’t be mitigated due to low impact and likelihood and others that will have extensive business and IT continuity plans due to high impact and high likelihood.
Build mitigation strategies
For every area of risk identified, document and agree on the mitigation strategies to be executed in the event the scenario occurs. This should include every aspect of disaster planning.
For each mitigation plan, a full procedural guide should be created because when people are faced with disaster, they are often under stress and cannot be counted on to think about what to do vs following a set of clear instructions.
Every staff member needs to be trained in two basic areas: expectations about reporting in, even if they were not at work when the disaster occurred and carrying out their department’s plans. Dress rehearsals are another way to ensure people are prepared.
Audit the plan
Review and revised the plan frequently. Changes to the business will often require changes to business continuity plans.
What is Customer Identity and Access Management?
The best way to ensure your business continuity planning is sufficient is to conduct business continuity plan audits. The audits may go as far as conducting a dry run for the higher impact scenarios, then documenting and scoring results.
A business continuity plan audit will include a deep analysis of the plan’s documentation, and auditors will look for proof all preparation steps included in the plan have been taken. For example, if the plan says all staff in specific departments are provided with laptops and the ability to access systems remotely, auditors will want proof this exists. If the plan calls for annual dress rehearsals or dry runs to be carried out, the audit will include reviewing the results of these activities.
Business continuity plan audits can be performed internally as part of the overarching program, but it’s always best to get an outside opinion on the plan’s quality and the results of planning efforts.
Instead of conducting audits, some organizations opt to do a complete cutover, shutting a main operational facility and declaring a mock disaster and then reestablishing operations according to their plans, finally reversing the activity to restore normal operation. The entire exercise is analyzed, and improvements to the plan are documented and incorporated into the ongoing business continuity plan.
Either approach will indicate opportunities for improvement, but business continuity plan audits have a far less operational impact making them an effective tool for evaluating the program.
CG Technologies has helped many with their business continuity plans. They offer a range of services to protect your business data and IT infrastructure to keep your business safe.
Leave IT to us
With over 25 years of experience delivering exceptional services to 100’s of companies in the Greater Toronto Area (GTA), CG Technologies are confident we can deliver the same benefits to your organization – keeping you secure, delivering reliable and trusted IT solutions and expertise. Our industry leading strategic IT consulting and IT solutions will allow you to focus on what matters most – your business.