For many businesses, they are nothing more than words.
Business Continuity is more than simply having a slightly modified template version of a Business Continuity Plan (BCP) that took a few hours to complete in order to satisfy your Manager or an outside entity. Instead, it is a never-ending process of risk assessments, risk mitigation, plan maintenance, testing, and improvement.
A Business Continuity Plan describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. Business Continuity planning seeks to prevent interruption of mission-critical services, and to reestablish full-functioning as quickly and efficiently as possible. A well-documented and tested plan serves as a roadmap to prevent the escalation of loss, therein reducing the economic impact to the company and its employees in the form of loss of customers, market share, profits, reputation, and jobs.
How will your company respond to a significant business disruption such as a hurricane, tornado, data breach, earthquake, power loss, fire, or flood?
For an example of how not to respond, view “The Office” fire safety video on the Internet.
Business Continuity is centered on three key elements:
- Resilience: critical business functions, operations, supplies, systems, and relationships are designed and engineered in such a way that they are materially unaffected by most disruptions, for example through the use of redundancy, spare capacity, and the ability to perform the function remotely.
- Recovery: planning and arrangements are made ahead of time to promote the recovery of critical organizational functions that could fail at the location.
- Contingency: the organization establishes a preset capability and readiness to cope effectively with significant business disruptions. Contingency preparations constitute an alternative response if Resilience and Recovery arrangements prove insufficient.
So how do you take action? Let’s start with two main components of a BCP.
Vulnerability Analysis
A key part of the BCP Process is to conduct a vulnerability analysis, which is an assessment of the potential risks to the business which could result from disruptive events, disasters, or emergency situations. It is necessary to consider all the possible incidents and the impact each may have on the organization’s ability to continue to deliver its normal operations.
The following potential disruptive event groupings are typically assessed:
- Environmental Disasters
- Equipment or System Failure
- Loss of Utilities and Services
- Organized and / or Deliberate Disruption
- Other Emergency Situations
- Serious Information Security Incidents
Each of the potential disruptive events under each grouping should be assessed to determine the possibility of occurrence (Probability Rating) and the possible impact (Impact Rating) on People, Property and the Business by using set numerical values for each rating combination and documented in a Vulnerability Analysis Chart. Types of disruptive events with a high rating need to be examined in further detail and have a prepared analysis of the consequences of the specific scenario.
Business Impact Analysis (BIA) Questionnaire
The Business Impact Analysis (BIA) Questionnaire is the tool used to gather pertinent information about an Organizational Unit Function, Product or Process to include Business Recovery Time Objectives (RTOs), Recovery Assumptions, Recovery Options, Critical Resource Requirements, Manual Workarounds, Special Procedures, Vital Records, Dependencies, and Maintenance Triggers/Future Endeavors.
The information that is captured through the BIA Questionnaire completion process is mapped against various business and/or operational impacts which help to facilitate the development of recovery strategies and prioritize recovery efforts at both the Organizational Unit and critical process levels.
At a minimum, BIA Questionnaires should be reviewed semi-annually and updated/revised as necessary and the review should be documented for reference and auditing purposes.
The BIA information is a core component to building a Business Continuity Plan and, ultimately, vital information that will be used and relied upon in the event of a disaster/event/disruption.
Don’t wait until it’s too late and you’re in the middle of a crisis. Conduct your analyses now and be prepared to respond. My next blog post will provide additional key components of a BCP such as assigning specific job functions and testing outcomes to help you fully put your plan into action.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs