Disasters are unpredictable and random. Whether it's the wrath of Mother Nature delivered via tornadoes in Alabama, Missouri, Minnesota or even Massachusetts, or man-made like the 9/11 attacks or simple accidents, disasters can result in chaos. A detailed Business Continuity Plan can make the difference between quick and successful navigation of disruption or a lengthier and often costly recovery. By preparing for the worst, you can not only help protect your mailing operations, you can also help ensure the survival of your overall business.
According to the Center for Research on the Epidemiology of Disasters, between 2000 and 2008, there were on average 392 disasters per year. The average annual economic damage was $102.6 billion worldwide.
What is Business Continuity Planning?
In the post-9/11 world, Business Continuity Planning is now baked into corporate security planning as businesses must keep functioning during all sorts of disruptive events. The primary goal is to help organizations stay in business by minimizing the impact upon clients, establish contingency plans to limit the impact of damage and mitigate losses. It's more holistic than Disaster Recovery because it looks at the implications of many potential scenarios not just the event and its immediate aftermath. Business Continuity Planning provides a comprehensive, long-term approach involving data and IT infrastructure contingencies as well as planning for disruptions to facilities, materials and equipment. In the service sector, Business Continuity Planning also includes protecting customer data, inventory and materials.
Planning should start long before disaster strikes. Smart businesses take a proactive stance, from the CEO downward, making Business Continuity a priority for the entire organization. The process involves management, IT, operations, logistics, real estate, legal, risk management, HR, sales and marketing. All disciplines working together to develop an integrated plan, giving everyone a stake in that plan's success.
There are three key phases of Business Continuity: the plan, the implementation and the follow-up.
Phase 1: The Plan
A Business Impact Analysis covers all aspects of the business and is usually initiated by top management. Analysis involves cross-departmental teams identifying the business's most critical systems and processes and the potential effects a disaster. A thorough risk assessment would also include an inventory of the entire business, the facilities and, for each facility, the people, equipment, software, property and relevant data housed there.
Business analysts would then explore what could happen, imagining as many scenarios as possible, hypothesizing how to handle each and prioritizing the inherent risks. The scenarios should include the "domino effect," when more than one thing goes wrong. The recent earthquake in Japan is a case in point. First Japan had an earthquake, than a tsunami, followed by a nuclear disaster. The Business Impact Analysis helps determine the sequence of activities, identifying which services should be restored first.
Once complete, a written Business Continuity Plan provides a highly detailed, step-by-step primer on what to do and when, who to bring in and how to follow through. The best plans include simple and easy-to-follow Checklists and Priorities for individuals in stressful emergency situations. Since staff turnover is an ongoing issue, the plan must be written by "job function" instead of name of individual.
The document further defines emergency response protocols and the "recovery point objective" or when the recovery mission is deemed complete. This is crucial for the long-term health of a business, particularly service businesses, as the customer is the ultimate arbiter of when service and costs for service are back to normal.
The Business Continuity Plan should establish communications guidelines and service levels that will enable staff to effectively manage customer expectations throughout the disaster and its aftermath. As data integrity is the backbone of many service organizations, sections on IT planning and recovery must detail procedures for backing-up data and designating alternative sites for housing data. If the need is great enough, as in the financial services industry, duplicate systems are often created off-site, ready for deployment at a moment's notice.
The final part of the plan development is Annual Training. Everyone involved must review the plan at least annually. Remember that organizational structures and personnel change all of the time. New team members need to fully understand their current role. Executive management needs to sign off on the plan, empowering the management team to rapidly respond to the disaster that is at hand. The plan must be rigorously tested under conditions as realistic as possible. Each facility needs to designate an owner for that site's Business Continuity Implementation team.
Phase 2: The Implementation
With the Business Continuity Plan in place and the staff trained and ready, every situation, no matter how onerous, can be met with confidence. When disaster strikes, immediately implement the plan. Take care of the short-term needs first and let the plan run its course.
Below are ten best practices during the implementation phase:
1. Ensure Employee Safety. Employees are a business's most valuable resource. Follow proper safety procedures for evacuation in the event of a fire or natural disaster, making sure that everyone is out of the building and at a safe distance. Perform a physical headcount to verify that no one has been left behind.
2. Contact Local Emergency Assistance. Cooperate with local authorities and let trained professionals do their jobs without interference.
3. Secure IT Data Center. If the data center is endangered or compromised, implement the IT disaster recovery plans.
4. Secure Client Information and Assets. Especially important for service providers, getting client information, materials and/or product to a place of safety must be top priority. In the case of a natural disaster, such as a fire, onsite security can establish a perimeter.
5. Contact Corporate Executives. The on-site team will be in the thick of things from the start. Smart organizations know to tie-in the corporate executives immediately. This executive immersion promotes organization-wide accountability and enables businesses to tap into their resources to resolve problems swiftly. My experience tells me that local or on-site management is in the best position to react to the situation at hand. Corporate personnel can gather the necessary resources to help ensure that the on-site management does indeed have access to those resources.
6. Notify Customers. The best relationships are built on trust. In the event of a disaster, that trust can be a source of strength. Share information early and often with customers, so there are few surprises and no recriminations on the road back to normalcy. Personal outreach from senior manager to senior manager goes a long way toward instilling confidence that the situation is under control.
7. Contact Recovery Partners. Reach out to resources that can keep the infrastructure together, if necessary, while the Business Continuity Team focuses on delivering services and keeping customers happy. You may need to engage data warehouse resources, building security firms and key vendors to provide stop-gap assistance.
8. Move to a Secure Location. When the physical plant is no longer operable, or the building site presents dangers, the business must move all personnel to a pre-planned secure location. Off-site data centers take over business critical processing.
9. Communicate. Communicate. Communicate. Foster open dialog between on-site staff and the corporate Business Continuity Team. It's extremely important to reach out with available information for customers early on and follow up with periodic updates so customers remain in the loop.
10. Begin Restoration of Services. Even while the disaster is unfolding, restore service quickly by following the preordained Business Continuity Plan.
Phase 3: The Follow-Up and Fine Tuning
After the initial shock recedes and immediate customer needs are met, it's important to maintain momentum for the full-term of the recovery process. There's no point in winning the battle over disaster to lose the war on recovery. A comprehensive Business Continuity Plan will continue through these post-event projects:
· Physical Plant Replacement/Rebuild. Disasters impact buildings and the materials inside. Your plan must include procedures — and budget guidelines — for decisions regarding when to replace or rebuild. On-site staff must identify the needs for repair or replacement and coordinate efforts with corporate.
· Keep Open Lines of Communication with Corporate Staff. Cooperation between on-site personnel and corporate can speed the return to normalcy and demonstrate to employees that everything is under control.
· Maintain Ongoing Communications With Employees and Customers. Provide regular updates on the status of the building repair. Let employees know when they can get back into a refurbished building or where they will be relocated. Keep customers reassured that their products and/or data are secure and that service will continue.
· Focus Communication to Major Customers. Identify a designated point of contact to ensure consistent and reliable communications. Funnel all questions and answers through these staff.
· File Appropriate Insurance Claims Quickly. Work hand-in-hand with insurance companies so claims can be processed in a timely and accurate manner. Keep careful records of all materials status and repair. As necessary, help customers with whatever backup needed for insurance claims.
· Provide Customers with Confirmation of Recovery and Destruction. When managing customers' data and other secure items, it's critical there are no security breaches. Confirm which materials have been completely recovered and which have been completely destroyed.
· Conduct a Review of the Incident. Publish detailed findings as a "lessons learned" for the Business Continuity Planning team. Share the executive summary with senior management to describe what worked and what needs improvement. Provide customers with "lessons learned" to assuage any remaining anxieties.
· Reflect/Refine/Revise. While your Business Continuity Plan was well-implemented and avoided costly, long-term impact to your company, it's always wise to make adjustments, incorporating real-life learning into the previous hypothetical plan.
· Know Your Contractual Obligations. Review each contract and clearly communicate to team members your obligations.
· Remain Vigilant. Your business came through the disaster with success, thanks to a well-planned and well-executed Business Continuity Plan. Think ahead; be ready for next time.
Preparing Your Business for the Unexpected
Successful Business Continuity Planning is a long-term corporate commitment that takes advance work, assessing risk, identifying resources and generating detailed protocols. An experienced and fully-trained staff, which is accustomed to making decisions, following a formal plan can mean the difference between effective response and a complete breakdown in customer service.
With a proper Business Continuity Plan in place, you can sleep at night, knowing your team is prepared and your business is secure.
According to the Center for Research on the Epidemiology of Disasters, between 2000 and 2008, there were on average 392 disasters per year. The average annual economic damage was $102.6 billion worldwide.
What is Business Continuity Planning?
In the post-9/11 world, Business Continuity Planning is now baked into corporate security planning as businesses must keep functioning during all sorts of disruptive events. The primary goal is to help organizations stay in business by minimizing the impact upon clients, establish contingency plans to limit the impact of damage and mitigate losses. It's more holistic than Disaster Recovery because it looks at the implications of many potential scenarios not just the event and its immediate aftermath. Business Continuity Planning provides a comprehensive, long-term approach involving data and IT infrastructure contingencies as well as planning for disruptions to facilities, materials and equipment. In the service sector, Business Continuity Planning also includes protecting customer data, inventory and materials.
Planning should start long before disaster strikes. Smart businesses take a proactive stance, from the CEO downward, making Business Continuity a priority for the entire organization. The process involves management, IT, operations, logistics, real estate, legal, risk management, HR, sales and marketing. All disciplines working together to develop an integrated plan, giving everyone a stake in that plan's success.
There are three key phases of Business Continuity: the plan, the implementation and the follow-up.
Phase 1: The Plan
A Business Impact Analysis covers all aspects of the business and is usually initiated by top management. Analysis involves cross-departmental teams identifying the business's most critical systems and processes and the potential effects a disaster. A thorough risk assessment would also include an inventory of the entire business, the facilities and, for each facility, the people, equipment, software, property and relevant data housed there.
Business analysts would then explore what could happen, imagining as many scenarios as possible, hypothesizing how to handle each and prioritizing the inherent risks. The scenarios should include the "domino effect," when more than one thing goes wrong. The recent earthquake in Japan is a case in point. First Japan had an earthquake, than a tsunami, followed by a nuclear disaster. The Business Impact Analysis helps determine the sequence of activities, identifying which services should be restored first.
Once complete, a written Business Continuity Plan provides a highly detailed, step-by-step primer on what to do and when, who to bring in and how to follow through. The best plans include simple and easy-to-follow Checklists and Priorities for individuals in stressful emergency situations. Since staff turnover is an ongoing issue, the plan must be written by "job function" instead of name of individual.
The document further defines emergency response protocols and the "recovery point objective" or when the recovery mission is deemed complete. This is crucial for the long-term health of a business, particularly service businesses, as the customer is the ultimate arbiter of when service and costs for service are back to normal.
The Business Continuity Plan should establish communications guidelines and service levels that will enable staff to effectively manage customer expectations throughout the disaster and its aftermath. As data integrity is the backbone of many service organizations, sections on IT planning and recovery must detail procedures for backing-up data and designating alternative sites for housing data. If the need is great enough, as in the financial services industry, duplicate systems are often created off-site, ready for deployment at a moment's notice.
The final part of the plan development is Annual Training. Everyone involved must review the plan at least annually. Remember that organizational structures and personnel change all of the time. New team members need to fully understand their current role. Executive management needs to sign off on the plan, empowering the management team to rapidly respond to the disaster that is at hand. The plan must be rigorously tested under conditions as realistic as possible. Each facility needs to designate an owner for that site's Business Continuity Implementation team.
Phase 2: The Implementation
With the Business Continuity Plan in place and the staff trained and ready, every situation, no matter how onerous, can be met with confidence. When disaster strikes, immediately implement the plan. Take care of the short-term needs first and let the plan run its course.
Below are ten best practices during the implementation phase:
1. Ensure Employee Safety. Employees are a business's most valuable resource. Follow proper safety procedures for evacuation in the event of a fire or natural disaster, making sure that everyone is out of the building and at a safe distance. Perform a physical headcount to verify that no one has been left behind.
2. Contact Local Emergency Assistance. Cooperate with local authorities and let trained professionals do their jobs without interference.
3. Secure IT Data Center. If the data center is endangered or compromised, implement the IT disaster recovery plans.
4. Secure Client Information and Assets. Especially important for service providers, getting client information, materials and/or product to a place of safety must be top priority. In the case of a natural disaster, such as a fire, onsite security can establish a perimeter.
5. Contact Corporate Executives. The on-site team will be in the thick of things from the start. Smart organizations know to tie-in the corporate executives immediately. This executive immersion promotes organization-wide accountability and enables businesses to tap into their resources to resolve problems swiftly. My experience tells me that local or on-site management is in the best position to react to the situation at hand. Corporate personnel can gather the necessary resources to help ensure that the on-site management does indeed have access to those resources.
6. Notify Customers. The best relationships are built on trust. In the event of a disaster, that trust can be a source of strength. Share information early and often with customers, so there are few surprises and no recriminations on the road back to normalcy. Personal outreach from senior manager to senior manager goes a long way toward instilling confidence that the situation is under control.
7. Contact Recovery Partners. Reach out to resources that can keep the infrastructure together, if necessary, while the Business Continuity Team focuses on delivering services and keeping customers happy. You may need to engage data warehouse resources, building security firms and key vendors to provide stop-gap assistance.
8. Move to a Secure Location. When the physical plant is no longer operable, or the building site presents dangers, the business must move all personnel to a pre-planned secure location. Off-site data centers take over business critical processing.
9. Communicate. Communicate. Communicate. Foster open dialog between on-site staff and the corporate Business Continuity Team. It's extremely important to reach out with available information for customers early on and follow up with periodic updates so customers remain in the loop.
10. Begin Restoration of Services. Even while the disaster is unfolding, restore service quickly by following the preordained Business Continuity Plan.
Phase 3: The Follow-Up and Fine Tuning
After the initial shock recedes and immediate customer needs are met, it's important to maintain momentum for the full-term of the recovery process. There's no point in winning the battle over disaster to lose the war on recovery. A comprehensive Business Continuity Plan will continue through these post-event projects:
· Physical Plant Replacement/Rebuild. Disasters impact buildings and the materials inside. Your plan must include procedures — and budget guidelines — for decisions regarding when to replace or rebuild. On-site staff must identify the needs for repair or replacement and coordinate efforts with corporate.
· Keep Open Lines of Communication with Corporate Staff. Cooperation between on-site personnel and corporate can speed the return to normalcy and demonstrate to employees that everything is under control.
· Maintain Ongoing Communications With Employees and Customers. Provide regular updates on the status of the building repair. Let employees know when they can get back into a refurbished building or where they will be relocated. Keep customers reassured that their products and/or data are secure and that service will continue.
· Focus Communication to Major Customers. Identify a designated point of contact to ensure consistent and reliable communications. Funnel all questions and answers through these staff.
· File Appropriate Insurance Claims Quickly. Work hand-in-hand with insurance companies so claims can be processed in a timely and accurate manner. Keep careful records of all materials status and repair. As necessary, help customers with whatever backup needed for insurance claims.
· Provide Customers with Confirmation of Recovery and Destruction. When managing customers' data and other secure items, it's critical there are no security breaches. Confirm which materials have been completely recovered and which have been completely destroyed.
· Conduct a Review of the Incident. Publish detailed findings as a "lessons learned" for the Business Continuity Planning team. Share the executive summary with senior management to describe what worked and what needs improvement. Provide customers with "lessons learned" to assuage any remaining anxieties.
· Reflect/Refine/Revise. While your Business Continuity Plan was well-implemented and avoided costly, long-term impact to your company, it's always wise to make adjustments, incorporating real-life learning into the previous hypothetical plan.
· Know Your Contractual Obligations. Review each contract and clearly communicate to team members your obligations.
· Remain Vigilant. Your business came through the disaster with success, thanks to a well-planned and well-executed Business Continuity Plan. Think ahead; be ready for next time.
Preparing Your Business for the Unexpected
Successful Business Continuity Planning is a long-term corporate commitment that takes advance work, assessing risk, identifying resources and generating detailed protocols. An experienced and fully-trained staff, which is accustomed to making decisions, following a formal plan can mean the difference between effective response and a complete breakdown in customer service.
With a proper Business Continuity Plan in place, you can sleep at night, knowing your team is prepared and your business is secure.