Earlier this month, Anglepoint joined with Reciprocity for a webinar about the top initiatives information security teams should consider when creating a Business Continuity Plan (BCP). A well-constructed BCP will ensure confidence and clarity in times of uncertainty. Read on for 4 key steps to creating a BCP.
What is a BCP?
A BCP is an emergency management plan. It ensures that, in the event of an emergency/ disaster (fire, flood, earthquake, etc), operations will continue, personnel will be taken care of, and assets preserved. However, a BCP is not simply against natural disasters. IT companies must plan against malicious ransomware attacks, grocery stores must have a BCP in place if main suppliers go under. Anything that could majorly affect operations in some way must be planned for.
Businesses who work to create procedures and strategies have confidence in adaptability. This confidence is derived from a tried and refined BCP, that has been proven to work effectively. Though several external influences may arise (some are foreseeable, others unexpected), businesses will still have the capability to continue critical operations through a proven BCP.
Why create a BCP?
Having an up to date BCP will help mitigate the effects of any negative occurrence which threatens business infrastructure; internally or externally. A well-constructed BCP will provide clearly defined steps on how to respond to these disasters. The goal is to have a plan that will ensure operations continue as productive as possible, with some degree of normalcy in times of uncertainty.
4 key steps to creating a BCP.
1. Risk Assessment
Identify Stake Holders
A BCP does not rest solely on one employee, or even one department. To create an effective BCP, companies must identify key stakeholders and seek their valuable input. Work with stake holder to identify key risks that pertain to their success, and how in the event of a disaster, your partnership could be affected. Discuss ways these risks can be mitigated.
One of the most common pitfalls when creating a BCP is focusing on the wrong risks. To begin prioritizing risks, first identify potential threats that may impact day-to-day functionality. Consider listing your industry risks, target market, rising trends, geographical area, etc. Once listed, begin prioritizing the risks. This may be based on the level of impact, likelihood of occurrence, or other defined criteria. Consider some of the following risks:
Once risks have been identified, and a response has been devised, identify gaps in the BCP through careful review. Encourage collaboration to identify where the plan is weak, then make necessary changes.
2. Business Impact Analysis
Collaboration is key when creating an effective BCP. Not only will this allow others to feel a sense of ownership over the plan, thus making execution more effective, but it will give you a greater understanding into how a disaster may impact other business functions. A Business Impact Analysis (BIA) is a breakdown of how a disaster will affect key areas of the business. This will be most effective if feedback from managers and employees is received personally. Consider:
- Seeking to understand different team structures and their tools. - Meeting with managers and asking their feedback on how these processes will be affected in the event of a disaster. - Developing questionnaires. - Conducting workshops to instruct business function and process managers how to complete the BIA.
3. Strategy and Plan Development
When finalizing the BCP, it is imperative to document the plan and store the document in a secure location. Consider storing the BCP off-site, in the event of the site location, or documents, experiencing damage/ theft. Consider including the following elements in your BCP:
- Develop and plan framework - Organize recovery teams - Develop relocation plans - Write business continuity and IT disaster recovery procedures - Document manual workarounds - Assemble plan, validate, gain management approval
4. Test, Implement, and Maintain
To have confidence in your BCP, test, re-test, then test again. A strong BCP has undergone testing to identify the weak points. Managers should consider maintenance checks to ensure the BCP is up to date, testing every year. This will provide further confidence in the actionable response items in the BCP. Managers/ BCP Teams should also:
- Conduct orientation exercises - Document test results - Update BCP to incorporate lessons learned from testing and exercises
Common pitfalls for businesses to avoid.
- Lack of support (funding, compliance) & visibility senior management - Focusing on Tech first and business process priorities second (tech is easily replaceable. Some examples of business process priorities include running payroll, for a company that focuses on developing a software- the tools that you use will be your business process priorities) - Inadequate Documentation of BCP (Have a system in place where employees know) - Failure to test your BCP (Will not know if the BCP is effective or not. When stuff hits the fan, you want to know your BCP is tried and proven).
Now, more than ever, organizations need to be prepared. Creating or improving a Business Continuity Plan will ensure your business operations proceed, even in the event of disaster. For more helpful info, register for our newsletter.