Every corporate threat may result in the same consequence: the loss or temporary cessation of key business processes. In February 2016, the Business Continuity Institute released its fifth annual Horizon Scan report highlighting the level of concern to different risks and threats. The report tabulated survey results from 568 worldwide organizations from 74 countries.
According to the report, the following are the top 10 concerns for businesses:
- Cyber attack
- Data breach
- Unplanned IT and telecom outage
- Act of terrorism
- Security incident
- Interruption to utility supply
- Supply chain disruption
- Severe weather
- Availability of talent/key skills
- Health and safety incident
Threats to a company’s ability to conduct “business as usual” is a continual concern for large, multinational companies, as well as smaller, domestic operations. Regardless of size, establishing methods to preserve critical business processes during any of the adverse concerns listed in the Horizon Scan report can improve the probability of operational sustainability and minimize the potential of lost revenues. Failure to develop an effective business continuity plan that address these concerns can lead to costly and devastating impacts, often affecting the long-term growth of a company.
In order to combat concerns, the following must be identified for each operational site or location
- Potential risks/threats
- Trigger events
- Impacted critical business processes/activities
- Incident response structure
- Warning and communication process
- Recovery time objectives
While reviewing a plan that addresses targeted risks and threats, key details and alternate provisional elements should be considered. The following basic Business Continuity Plan components should be reviewed to ensure concerns are addressed and processes are in place to minimize loss or the temporary cessation of key business processes.
- Key contacts: Identify and confirm all primary and secondary key contacts that must be made aware of a business interruption. Due to possible employee turnover or contact detail changes, it is important to routinely verify contact information for accuracy.
- Plan distribution list: Identify and confirm names, addresses, and contact information of those that retain access to one or more plans.
- Recovery plan:
- Identify/develop parameters of business continuity strategies with regards to each identified risk/threat. This includes incremental processes and necessary procedures required to recover each critical business process.
- Ensure communication methods and backup equipment will be adequate for each trigger event.
- Response checklist time lines may include increments such as 1st hour, 24-hours, 48 hours, one week, one month, and long-term recovery.
- Key staff roles and responsibilities:
- Develop job specific checklists and procedures detailing responsibilities, from business continuity implementation through recovery.
- Identify Critical Staff, at a minimum, for each critical business process.
- If necessary, provide cross team training, in the event that primary team members are not available.
- Off-site recovery location: Identify and include addresses, contact info, available on-site equipment, and any necessary external equipment for effective continuity and recovery operations.
- Key customers’ data: Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption. Identify communication methods, platforms, and required contact information in order to inform customers of disruptions of deliverables.
- Key supplier contact list: Logistics and transportation delays could affect delivery times; therefore the plan should address this issue. Identify dependencies and interdependencies along with key contact information.
- Alternate suppliers list: The consequences of a supply chain failure on associated key business components can be crippling. Through the planning process, alternatives can be explored to reduce the impact of supply chain disruptions.
- Back up data details: Identify details of computer back-ups and recovery methods. Ensure that staff training is in place to ensure data accessibility, security, and recovery.
- Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit. Ensure best practices are in place regarding backups and IT security.
- Equipment requirements: Identify equipment requirements for each business unit and recovery time goals.
- Implement improvements
- Track and update key details and associated processes as deficiencies and inaccuracies are identified
- Incorporate newly identified hazards and vulnerabilities into the business continuity plan.
- Include necessary equipment used (requiring replacement or replenishment)
- Incorporate lessons learned into the plans and necessary training
- Periodically evaluate critical business processes to ensure that evolving businesses practices are captured.
- Periodically evaluate risks and threats to ensure that concerns are addressed in the plan.