When any of us own a large purchase or investment, we protect that investment with insurance. Be it a house, car, boat, our health and even our lives. The intent is to provide peace of mind in case the unthinkable happens. Businesses themselves are not immune from the potential impacts that any disruption could cause. Depending on where you live, your business can be impacted by hurricanes, floods, fires, or other natural disasters. Our dependency on technology means we could fall victim to power failures, loss of data or cyber-attack. Unfortunately, we also must deal with harsh realities of theft, damaged equipment, potential bomb threats and active shooter situations. Essentially, we could face many threats that could cause loss of life, ruin our business financially, destroy our reputation, impact our operations and services, or put us in a precarious legal situation. Yes, this all sounds scary, but luckily there are ways to make disasters and emergency situations a little easier on your business.
Enter, Business Continuity Planning, or BCP. Our logic when choosing insurance is that the cost of the insurance is justifiable based on the potential loss we would incur should the worse case scenario happen. It’s a little easier to make decisions as to purchasing insurance when you can easily compare the cost of the item you’re protecting versus the cost of the insurance. But how do you put a price on a business? How do you validate to senior management that the cost is worth the investment? There are a number of factors that help us do so:
- Regulations – Many industries require businesses in their vertical to have business continuity plans. They are required to mitigate any risks and show that they are resilient to an ever-changing world of threats.
- Life and Safety – When we consider the potential loss of life that can occur with anything from fire, pandemic, flood, and even active shooter situations, it is critical to the safety and livelihood of our employees that we have strategies in place to protect one of our most important assets.
- Third party requirement – An increasing number of vendors want their partners to demonstrate that they have adequate resiliency. There is a dependency on vendors to provide critical services. They want to know that you are a reliable partner, supplier, or vendor and you have your own resiliency in place.
- Financial protection – We’ve seen in news reports that companies have had to declare bankruptcy after a terrible disaster. In hindsight, most of us would put in protections and preventative measures to safeguard our organization.
So how do we prepare? We cannot predict the future or know exactly what will happen at some undetermined point. So, do we plan for everything? We cannot possibly account for every possible outcome, either financially or even in terms of thinking of scenarios that have not yet occurred. So, what do we do? We analyze our business to see what is the most important, based on a number of criteria; financial impact, operational impact, customer impact, legal impact and a few others relevant to the type of industry we’re in. We also take a look at the history of what has been high risk and high likelihood occurrences at our locations, and to our organization in general. With this information we’re now armed to tackle the task of putting together a resiliency program.
To go back to the insurance example, this is the point where we know more about the house or car, we know the potential risks, we know the value of the house or car and we know what type of insurance we need and what the payout should be. In business continuity terms, we now can put together a strategy to show resiliency. Here are just a few questions you need to answer when putting this strategy together:
- What information will be needed if we can’t access our systems?
- Who needs to do what in the event of an emergency?
- In what order do we need to recover our functions?
- What equipment do we need for recovery, and what other resources are necessary?
Having these plans in place allows a peace of mind that will assist in allowing you to pass audits and prove to executive management that the business is resilient. But remember, your plans are only good if tested and updated regularly. You need to know that when the unthinkable happens, your plan will work as intended.
To summarize, a Business Continuity Plan is similar to insurance for your business. It allows your team to be prepared for, respond to, and recover from situations that could cause harm to your organization. If you don’t currently have a strategy for what to do in the event of emergency, now is the time to start!