5 Steps for Creating an Effective Business Continuity Plan
Steven Minsky | Dec. 22, 2015
At LogicManager, we are firm believers that embracing risk management can result in two boons: ease of mind and success. On a related note, we recently came across an article by Carl Richards in The New York Times titled “For True Freedom, Learn to Deal with Uncertainty.”
“Right now, I’m working really hard on both having goals and accepting the reality of uncertainty,” Richards says. “In fact, I embrace the uncertainty and say to myself, ‘given that goal, and given the uncertainty, what’s to be done next?’” He summarizes himself with a diagram scrawled on a napkin. It’s quite simple:
Richards’ cycle is in some ways the heart of LogicManager’s mission, Manage Tomorrow’s Surprises Today ®. Nobody likes being surprised when it comes to business, and many surprises are nearly impossible to prevent, so it stands to reason that only by managing those surprises can we achieve a more desirable outcome.
No governance function embraces the concept of managing surprises quite like business continuity planning and disaster recovery (BCP/DR) programs. A BCP/DR strategy is in effect the management of high-velocity risks. What your organization does in the 24 hours after a disruptive scenario can often make or break the business.
For William Bauer, this might literally be the case. Bauer is the managing director of Royce Leather, a company based in New Jersey. During Hurricane Sandy, floodwaters destroyed thousands of dollars’ worth of goods, and a “$100,000 server, which held vital customer records, was also destroyed,” according to The New York Times. Before the 2012 hurricane, Bauer hadn’t drawn up a sufficient BCP/DR program; the resulting chaos cost him his mental wellbeing and financial stability and nearly crippled Royce Leather.
Bauer certainly wasn’t alone. The 2015 Travelers Business Risk Index indicates only “21 percent of small businesses have continuity plans,” and “as many as 40 to 60 percent of small businesses never recover” from unforeseen catastrophes like natural disasters.
Bauer took this lesson to heart, creating a short but succinct Business Continuity & Disaster Preparedness Strategy in case something similar happens again.
What characterizes a good BCP/DR program, and how can LogicManager help you achieve it?
So far, our discussion of business continuity plans have been straightforward and abstract: A good business continuity plan “targets the biggest business risks and critical functions that keep revenue flowing.” BCM software helps identify those critical functions by providing a standardized criteria to complete a Business Impact Analysis (BIA). A key component of the BIA is understanding what vendors, applications, organizations, and organizational data are utilized by your core business processes. This web of information, called a risk taxonomy, is the backbone of any enterprise-wide approach to risk.
With a robust business continuity plan, companies will generally install improved systems, adopt better data recovery options, and (often) have the added benefit of reduced insurance premiums.
The 5 steps to formulating your business continuity plan
The general process outlined by The New York Times is very similar to our approach at LogicManager. In order to mitigate risk effectively, it is crucial to first devote a sufficient effort to identifying, assessing, and evaluating predominant areas of interest. This enables a focused expenditure of the resources needed to construct appropriate mitigation activities, or controls. Once underlying root causes are uncovered and matched to the proper mitigation activities, risk monitoring strategies can be implemented to confirm the root causes are being neutralized accordingly.
The five recommended steps are:
- Identify/analyze critical functions.
- Focus on risks with severe or even catastrophic consequences. These risks can be prioritized by setting global risk tolerances and risk appetite so you know which ones fall farthest out of that range.
- Create specific strategies, also known as mitigation activities, to protect the critical components identified in step 1.
- Test the plan before it’s actually needed.
- Update, review, and change the plan as needed.