Business continuity plan

Why a Business Continuity Plan is Essential to Your Business

When any of us own a large purchase or investment, we protect that investment with insurance.  Be it a house, car, boat, our health and even our lives.  The intent is to provide peace of mind in case the unthinkable happens.  Businesses themselves are not immune from the potential impacts that any disruption could cause.  Depending on where you live, your business can be impacted by hurricanes, floods, fires, or other natural disasters.   Our dependency on technology means we could fall victim to power failures, loss of data or cyber-attack.  Unfortunately, we also must deal with harsh realities of theft, damaged equipment, potential bomb threats and active shooter situations.  Essentially, we could face many threats that could cause loss of life, ruin our business financially, destroy our reputation, impact our operations and services, or put us in a precarious legal situation. Yes, this all sounds scary, but luckily there are ways to make disasters and emergency situations a little easier on your business.

Enter, Business Continuity Planning, or BCP. Our logic when choosing insurance is that the cost of the insurance is justifiable based on the potential loss we would incur should the worse case scenario happen.  It’s a little easier to make decisions as to purchasing insurance when you can easily compare the cost of the item you’re protecting versus the cost of the insurance.  But how do you put a price on a business?  How do you validate to senior management that the cost is worth the investment?  There are a number of factors that help us do so:

  • Regulations – Many industries require businesses in their vertical to have business continuity plans. They are required to mitigate any risks and show that they are resilient to an ever-changing world of threats.
  • Life and Safety – When we consider the potential loss of life that can occur with anything from fire, pandemic, flood, and even active shooter situations, it is critical to the safety and livelihood of our employees that we have strategies in place to protect one of our most important assets.
  • Third party requirement – An increasing number of vendors want their partners to demonstrate that they have adequate resiliency. There is a dependency on vendors to provide critical services.  They want to know that you are a reliable partner, supplier, or vendor and you have your own resiliency in place.
  • Financial protection – We’ve seen in news reports that companies have had to declare bankruptcy after a terrible disaster. In hindsight, most of us would put in protections and preventative measures to safeguard our organization.

So how do we prepare?  We cannot predict the future or know exactly what will happen at some undetermined point.  So, do we plan for everything?  We cannot possibly account for every possible outcome, either financially or even in terms of thinking of scenarios that have not yet occurred.  So, what do we do?  We analyze our business to see what is the most important, based on a number of criteria; financial impact, operational impact, customer impact, legal impact and a few others relevant to the type of industry we’re in.  We also take a look at the history of what has been high risk and high likelihood occurrences at our locations, and to our organization in general.  With this information we’re now armed to tackle the task of putting together a resiliency program.

To go back to the insurance example, this is the point where we know more about the house or car, we know the potential risks, we know the value of the house or car and we know what type of insurance we need and what the payout should be.  In business continuity terms, we now can put together a strategy to show resiliency. Here are just a few questions you need to answer when putting this strategy together:

  • What information will be needed if we can’t access our systems?
  • Who needs to do what in the event of an emergency?
  • In what order do we need to recover our functions?
  • What equipment do we need for recovery, and what other resources are necessary?

Having these plans in place allows a peace of mind that will assist in allowing you to pass audits and prove to executive management that the business is resilient.  But remember, your plans are only good if tested and updated regularly. You need to know that when the unthinkable happens, your plan will work as intended.

To summarize, a Business Continuity Plan is similar to insurance for your business. It allows your team to be prepared for, respond to, and recover from situations that could cause harm to your organization. If you don’t currently have a strategy for what to do in the event of emergency, now is the time to start!

Business continuity plan

What is a Business Continuity Plan?

Many years ago, there was a British TV show called “Blackadder”.  It starred Rowan Atkinson, more well known for his role as Mr. Bean.  He played the title character and found himself in a duel with the Duke of Wellington.  The Duke explains to Blackadder that using pistols and swords is old fashioned and no one does that anymore.  The Duke then reveals the cannons that he will be using to duel.  Blackadder picks up the instructions for the cannon and starts to read. He has barely gotten through the introductory obligatory congratulations message on such a fine purchase when the experienced Duke has already loaded, primed and is about to fire his cannon.  This scene is played for comedy but if in real life we are faced with a time sensitive situation, potentially hazardous and unfamiliar, we would love to have a set of instructions on what to do next.

Even in modern day life, how many of us ever review the emergency instructions on a flight or pay attention to the flight attendant giving those instructions?  Complacency is the enemy of preparedness.  If indeed we were unlucky enough to find ourselves needing to put out a fire using a fire extinguisher or put on a life jacket on a plane, I can imagine a swell of panic trying to hastily react while not being prepared.  So how does this tie into a business?

In our world we buy insurance to protect us from a variety of events and allows us to replace objects in the event of loss of destruction.  However, it gets more complicated with dealing with a business, which provides a livelihood for our staff, product that people may depend upon, or services that may save lives.  We cannot just easily replace lives, prevent injury, rebuild infrastructure, replace lost knowledge or data, or continue the services or product that people may depend upon with just an insurance check.  So, ensuring we have a plan of what to do and how to do it to make sure we can survive and effectively continue the business after an event, is important for all the above reasons.

But where do we start?  How do we plan and what do you need to put in a plan?

We can answer that simply by understanding what it is we do, and how we do it.  The process of doing so is called a business impact analysis.  Through this we can figure out the fundamental building blocks or processes that we perform as a business.  We analyze what risks could cause these processes to fail and how bad the damage would be.  How do measure the damage?  Damage can take many forms, but most common are:

  • Financial
  • Operational
  • The perception of the company, or reputation, after the damage
  • The risk to lives
  • The legal risks and implications

Measuring scenarios by the risk of occurrence and the damage they will cause helps us to figure out what is most important to our business.  Then break it down to:

  • What do these processes need to work properly?
  • Who needs to do it? And what if they are unavailable?
  • What tools/supplies/equipment do they need?
  • What is the order?
  • How quickly does it need to be done, and how quickly can it actually be done?

These building blocks serve as a base for us to develop a recovery strategy, or instructions for the person recovering and a list of all the information they might need.  What software applications do they depend on?  Who is on what team and how can I contact them? (Remember, I might not be in my building or have access to the information I normally have!) And step by step instructions on how to recover.  This makes up the main part of the business continuity plan.

Going back to the scene in question from Blackadder.  The scene always makes me think how when any of us get a new item of technology that we are unfamiliar with, it normally comes with a set of instructions and a quick reference guide.   But how many of us actually read the full instruction manual before using the new piece of equipment?  If you are like me, you probably use the quick reference guide.  None of us want to sit and read a manual in the event we need to do something quickly.  Continuity is time sensitive and the quicker and more succinct we can make our procedures, the more successful they will be, whether you are recovering a complex banking operation or trying to fire a cannon!

Reflecting on 2020

Building and Growing a Culture of Resiliency: Reflecting on 2020

Year in ReviewIt’s fair to say that 2020 threw quite a few curveballs at everyone and the hits kept coming throughout the year. I should have known it was going to be bad when a customer contacted me in January 2020 to see if I could help them source masks from another customer for operations in China, well ahead of anyone being worried COVID-19 was going to land in the US. In reality, the virus was already here but no one knew.

As I reflect on the past year, two things become abundantly clear: 1. business continuity as it existed a year ago hadn’t yet evolved to deal with a multi-vector crisis that had a duration measured in months and 2. we’re all still hanging in limbo waiting for things to go back to “normal”, whatever our individual definitions are of that term.

Most of us are sitting one leg over the fence on establishing a new baseline but still clinging onto what used to be, and this isn’t accidental. When you look at traditional business continuity programs, they look like a cycle starting at one place, running around the circle, and ending back at the top while we rinse and repeat. We assume the flow, most of the time, will be to prepare while everything is normal, wait for an event to happen, respond to the event, and go back to a pre-event steady state. We incorporate learning and improvements, but these typically are incremental. This pandemic is forcing a full evaluation of how we plan and respond and what “steady state” even means.

We, at Infinite Blue, have constantly engaged our customers, partners, and industry leaders in an attempt to understand this extended crisis and how we as a global community are responding to every aspect of it. We’ve conducted several panelist webinars, hosted daily podcasts on C-19 Daily with a few special guests, and even converted our annual in-person user group into a half-day learning event.

Throughout it all, we’ve been asked to share what others are doing, how each organization is performing, and how we could improve understanding and response to the events unfolding. In response, we’ve released several new offerings including IB Connect, Turnstile, Sendigo, an After-Action Report, and BC in the Cloud Core, a turnkey version of our flagship application. We hope that these expanded offerings help organizations have a better awareness of events when they occur and can communicate impacts more clearly to employees, customers, board members, and community members.

I want to thank our customers and our team for helping us to earn a few awards along the way in 2020. Infinite Blue was selected to be a part of the Inc. 5000 Fastest-Growing Private Companies of 2020 in addition to the Deloitte Technology Fast 500 for 2020, two amazing communities of companies that have made major impacts on the world. We’ve also received a nomination from DRI for the third year in a row as the Product of the Year. It’s a testament to what we’ve achieved, but those who know me well know that it means we’re just getting started. It’s not time to rest on our laurels but to press forward, stronger and harder, to keep innovating.

Where we’re heading

As we round into 2021, we must establish the new baseline as well as anticipate and manage new crises that are already getting sent our way. How do we handle those working at home now as we used to when they were in the office regarding redundancy and workforce planning? What is the “new normal” we need to reset to and when do we lock that in as our new baseline or is it ever shifting?

All of us at Infinite Blue stand ready to assist you and your organization to build and grow a culture of resiliency. We have some exciting evolutions coming from our products and services that we’ll be introducing to you throughout 2021 but we also want to continue to hear what you need. Our product managers and customer success team members have established several ways you can interact with both our team and our customer communities. Additionally, I hope to see many of you at our Discover 2021 conference in Philadelphia, Pennsylvania, in September. Until we speak again: stay healthy, stay safe, and stay resilient.

Business Continuity Plan

Business Continuity Plans: One Size Fits One

If I had a nickel for every time someone at a tradeshow, or a software prospect asked me to provide a sample business continuity plan they could use as a guideline or template, I would be writing this on a tropical island instead of sequestered in my home office.

The challenge with the request for a sample business continuity plan is not the quality of the plans, it resides in the fact that it was built around one specific company’s expectations, culture, knowledge, style, regulatory requirements, and stakeholder needs.  One size fits one, not all. There are also hurdles from legal, as well as the protection of intellectual property to contend with.  The last time I was able to provide a plan from a customer in the same industry, it was redacted more than an FBI document, offering no real value.

Having stated this, I thought the best way to address the requests for a sample business continuity plan or templates was to lay out a common construct I see across banking, manufacturing, distribution, retail, education, and general plans.

All plans start with a common foundation, but each vertical market will have variances.  Please understand these are examples of what goes into a business continuity plan, or an example of a sample, so to speak. In order to understand a lot of this, you’ll want to brush up on some important business continuity terms. Luckily, I have outlined everything you need to know here, in a guide to creating a business continuity plan from scratch. If you are new to the industry, I recommend reviewing this guide so you can fully comprehend the sample plan that I’ve laid out below.

There are numerous regulations, standards, and best practices that encompass business continuity.  While we don’t have enough time to identify each one and map it into a sample plan, I’ve highlighted some of the most common aspects that will appear across industries.

As you read through these examples, and the full guide to creating a business continuity plan, I hope you garner a deeper understanding of why “one size fits one” and what goes into an actionable and resilient plan.


BC Example Plan

BC & Big Data: Beyond Resiliency

BC & Big Data: Beyond Resiliency

Sometimes the hardest part of running a business continuity program is engaging your internal partners during the planning phase. At any industry meeting, you are likely to find yourself in a discussion about the trials and tribulations of a business continuity program.  Do you find getting plan updates and approvals in a timely manner is like pulling teeth? Are you banging your head against a brick wall trying to engage the right individuals? Ever accommodate a partner by putting off meetings or a review cycle so often that you think pigs may actually fly first?

Internal partners sometimes put the business continuity review process just slightly above a day waiting in line at the DMV because they do not see the value in their day-to-day operations. Certainly, everyone is engaged during incidents. It is navigating the planning phase that can be a challenge. We all sympathize to the competing priorities and tasks that our colleagues juggle every day. We try to accommodate their schedules and minimize the impact to their busy schedules. We implement solutions that make the review and approval process virtually painless. And, we make training and exercising concise, engaging, and fun! While these strategies demonstrate that we will make effective and efficient use of their valuable time, it still is not demonstrating the value of the business continuity program to the bigger picture.

What other program prioritizes processes across the entire organization and identifies what it needs to operate? Business Continuity is the big data of an organization. This data is valuable for mergers and acquisitions, organizational management, and resource management.  During mergers and acquisitions, a change management team sends out surveys to gather information to assist in aligning the companies. Much of the data requested is data that Business Continuity programs already have vetted and approved. This same data is valuable to organizational management and resource management teams that are reviewing processes and dependent resources across the organization. There are significant cost saving opportunities to be realized when consolidating redundant IT applications. When engaging internal partners, be open to adding data attributes or use cases such as physical security assessments or vendor assessment to your business continuity software to assist them.

Learn how to champion the value of your data in the day-to-day operations by engaging your internal partners and your program may overcome the trials and tribulations of the planning phase.

Where do I start?

What Business Continuity Methodology is Most Important to Start With?

Where do I start?

This is a conversation and situation I’ve had many times with different people, and it may feel familiar to some of you. You’ve been tasked with developing a BC/DR program for your organization. Assuming you have nothing or little in place, and what you do have is so out of date that you’re feeling that it would be wise to start fresh. The question invariably comes up: Where do I start?

Depending on your training or background this may start with a Business Impact Analysis (BIA) in order to prioritize and analyze your organization’s critical processes. If you have a security or internal audit background you may feel inclined to start with a Risk Assessment. You may have an IT background and feel that your application infrastructure is paramount, and you need a DR program immediately. If you’ve come from the emergency services or military, life and safety might be at the foremost in your mind and emergency response and crisis management might be the first steps. I’ve seen clients from big pharmaceuticals that need to prioritize their supply chain as their number one priority.

The reality is that although there are prescribed methodologies with starting points outlined in best practices by various institutes and organizations with expertise in the field, there is only one expert when it comes to your organization. You.

Ultimately each methodology has intrinsic connections to other methods. In the real world, as much as we’d love to get everything completed in one project, doing so from a budgetary standpoint as well as a workload is not always feasible unless you have a large team to get this accomplished. Add the layer of being a global company and consideration of different regulatory requirements and the project becomes even larger.

In the same way that we analyze our organization for impacts in a BIA or threats in a Risk Assessment, we can apply similar logic as to our priorities without getting into a full “analysis paralysis” type of situation.

For example:

  • What industry vertical does my organization fall into?
  • Is it heavily regulated?
  • Did we recently experience a disaster?
  • What were the lessons learned from that disaster?
  • What are the areas that the executive committee have the most concerns about?
  • Are we global?
  • Do we have any procedures in places, particularly in terms of life and safety?

What industry vertical does my organization fall into?

This question can determine your highest priorities, a financial organization could be regulated by FFIEC, NCUA, OCC or many others. That many demand certain requirements to have MEFs defined with recovery actions or the penalties could be high. A retail or pharmaceutical organization may have a high reliance on their distribution/production network. The latter could have life dependent impact on the distribution of critical medicine and vaccines, therefore their supply chain would be a priority.

Is it heavily regulated?

Heavily regulated industries come with their own set of risks. Not only do we have to be prepared for potential loss due to a disaster, but non-preparedness has its own forfeiture due to fines and penalties. Our start point might be dictated by how exposed we are and might fail an audit. They need to ensure that we are compliant to avoid huge fines or loss of membership, infringement of SLAs or contracts may dictate our highest priority.

Did we recently experience a disaster?

On occasion I’ve encountered companies in industries that were not regulated, but just experienced a flood and realized how vulnerable and unprepared they were. Their board of directors or owners realized how backups were inadequate or inaccessible. The company had no flood insurance because no risk assessment had been performed, there was no communication plan out to vendors or customers which damaged relationships. Fortunately, they still were able to recover but it shed light on all the vulnerabilities of the organization. The driver could be related to prior experience.

What were the lessons learned from that disaster?

“Hindsight is 20/20” and lessons learned provide valuable insight as to the higher risks, likelihood and what could occur again. They are the best exercises or tests we could ever have as they test aspects of our organization that we can’t simulate like stress and how staff endure under real pressure. Everyone who has had a house broken into or experienced a fire immediately went and bought a security system or fire extinguisher respectively the next day. Our driving force could be due to never allowing the unthinkable to happen twice.

What are the areas that the executive committee have the most concerns about?

Independent of regulatory, financial, and past disasters experienced sometimes it can happen where a board member or manager has a concern of a threat based on previous experience that isn’t substantiated. If an executive committee are all in alignment and their guidance matches the evidence, then that works but what do we do when direction is misaligned? In circumstances like this, the only thing we can do is let the numbers and the evidence prove the way. A risk assessment will show where we’re vulnerable and a BIA will show what’s critical.

Are we global?

In an organization that has global offices, we may have to prioritize based on laws in other countries.  E.g. The German Bundesdatenschutzgesetz (BDSG), The Data Protection Act, The Danish Personal Data Processing Act or GDPR. The fines can be steep, and infringements and reporting can have short turn around times. Are we in a position to roll out a program that can ensure preparedness for the organization but, also meet the demands of all international privacy policies? Are we more at risk in one country vs. another?

Do we have any procedures in places, particularly in terms of life and safety?

It’s hard to imagine that an organization would currently not have a simple evacuation plan even just for a fire. But has it been tested? Have security alerts gone up in our location for potential terrorism and bomb threats? The current political situation and our location could have some bearing on the need to prioritize life and safety of our employees. Especially if a previous incident has impacted our image or reputation.

In Summary

Ultimately you will need to prioritize your program based on considerations of your industry, previous incidents, your location and your high risks and exposures. Weigh up your budget, the workload, your resources and assess your companies’ highest priorities by evaluating against the questions listed above.

Trust your judgement but back it up with all the evidence you can, the strength of your position is unquestionable when the data shows what the risks are, the potential penalties and the impacts for non-preparedness.

Business Continuity Manager

What does a next-generation BC manager look like?

The role of a business continuity specialist is rapidly changing with the constant introduction of new technology.  We can’t help but wonder, how will the profile of a business continuity manager evolve?

For those of you reading this blog who might not be familiar with business continuity, let’s rewind to the 80’s.  This was a time when the concept of protecting your entire organization emerged.  Previously, companies were focused on identifying critical systems and how to recover them quickly after an event.  Which would explain why many business continuity professionals transitioned from an IT background.  Paul Kirvan, who wrote the article “Business continuity managers must expand their training to stay viable” spoke of this time saying, “…we have seen the development of the term resilience, which some suggest is the evolution of BC.”

Fast forward to the 90’s and we start to see technology being used in malicious ways posing threats to network security. This quickly became the number one concern of technology professionals.  It was at this time that business continuity planning become more prevalent and accepted by organizations.

Fast forward just a little further and we are here in the 21st century.  It is now that business continuity managers have become an important part of a company’s efforts to understand and manage their impacts on the overall organization.  Realizing the importance of business continuity planning, even academic institutions are starting to offer coursework that highlight risk management, strategic planning, operational analysis and emergency management.

Now that you are up to speed, let’s talk about the future of business continuity managers.  As I mentioned above, the number one concern of any organization is cyber threat.  This concern has opened the door wide to cloud-based solutions, including technologies like: cloud backup, file sync and share, and file server replacement.  Each of these methods being used for data protection. With the advancements in technology, it would not be surprising to see the role of a business continuity manager evolve to have a heavier focus on cybersecurity management and emergency management.

Don’t panic though! This should not pose too much of a problem as the next generation of BCM’s will start to introduce more tech-savvy millennials.  Technologies will continue to help the efforts to recover after a disruption but BCM’s will continue to play a key role in helping to identify the businesses critical processes and applications.

What is Risk Management? I’m still figuring it out…

Over the years I’ve heard the same question, “What do you want to do with your life?” When I was younger, I always responded quickly, “I want to be an Astronaut.” Or, “I want to be a Movie Star.”

Now when you ask me that question, I will respond with, “I have absolutely no idea.”

My name is Angela Prass. I will be a Junior at Syracuse University this fall studying Information Management and Technology. Recently, I received an internship opportunity at BC in the Cloud, along with two other talented individuals.

Along my long journey in college of not knowing what to do for the rest of my life, I stumbled upon a class titled, “Enterprise Risk Management.” I received a good grade in this class and wanted to explore this concept on a real-world scale. I thought to myself, “I like to take risks. This is something I’d be interested in.”

One afternoon, I was scrolling through LinkedIn and found BC in the Cloud. So… I took the risk. I applied for an internship. A few days later I landed an interview. Next, a second interview. And now I have the opportunity to gain valuable experience from the risk that I took.

Amazing opportunities can come from pushing your comfort zone. I have now learned that Risk Management isn’t about denying risk; however, it is about accepting risk and developing a plan so that you can continue to push your limits. To sum it up in a single simple word–growth.

Much like preparing for an interview, after the risk of applying was taken, how will you plan for the outcome? How will you stand out, organize yourself, and approach the uncertainty?

Or not knowing what you want to do with your life. How will you plan ahead? How far will you step out of your comfort zone? Will you take a class you’ve never even heard of? Well, let me tell you…

It turns out that taking a class that I had no idea what the title even meant, paid off. It gave me a path, an internship, and a passion. Risk is in our everyday lives. Preparing for it only allows us to continue to grow. Now my statement has turned from, “I have no idea,” to “I have an idea.”

And that’s what growth is… isn’t it? I’ve learned to grow and to create. To be comfortable being uncomfortable. And most importantly, it is okay to ask for help… the only risk associated with asking is receiving knowledge.

BC in the Cloud thinks of the unthinkable, so companies can push past any obstacle, take risks, and be prepared to persevere through all the ambiguities that accompany their success. Everyone should be empowered to pursue their dreams without hesitation. The team at BC in the Cloud provides their expertise to help companies grow. Risk Management is not about being afraid of risk, it’s about becoming confident in your own ability.

Be Prepared with a Dynamic Incident Response Plan

Many companies are required to have a Business Continuity Plan in place for compliance reasons, but it makes good business sense to also make sure you have a functional plan to help you recover from an incident as quickly as possible.  Whether it is a hurricane, wildfire, active shooter, or cyber attack, you can minimize the impact on your organization with a Dynamic Incident Response Plan.

Simply having a plan in place doesn’t ensure that you’ll have control when an event or a breach becomes a crisis. Incident response plans should be dynamic – or adaptable – to the needs of the business.

What makes an Incident Response Plan dynamic?

  • Break your plan down into sets of concise, easy to follow task lists, especially for critical business processes and applications
  • Engage the whole business – without buy-in from all parties, it’s unlikely a plan will be executed as intended. Confirm everyone understands his or her role.
  • Test emergency communication plans and task ownership on a regular basis.  A major failure in crisis is the communication breakdown.  Regular testing should confirm if individuals can understand and execute their roles and tasks.
  • Have your plans accessible via a mobile platform that is intuitive and user friendly

Some additional considerations for creating a functional and dynamic Incident Response Plan:

Lay out who is responsible for what – and identify backup personnel.  All Incident Response Plans should clearly define the key roles, responsibilities and parties involved during a disaster recovery (DR) event   Among these responsibilities must be the decision to declare a disaster. Having clearly identified roles will garner a universal understanding of what tasks need to be completed and who is responsible for what.

Protocols for a Disaster Recovery Plan must include who and how to contact the appropriate individuals on the DR team, and in what order, to get systems up and running as soon as possible.  It is critical to have a list of the DR personnel with the details of their position, responsibilities, and up to date emergency contact information.

Create a communication plan.  This is perhaps one of the more overlooked components of a Disaster Recovery/Incident Response Plan.  Having an effective communication plan that is tested is critical.  When a disaster strikes, how are you going to communicate with your employees? Do your employees know how to access the systems they need to perform their job duties during a DR event?

Many times, the main communication platforms (phone and email) may be affected and alternative methods of contacting your employees will be needed.  An effective communication plan will account for initial communications at the onset of a disaster, as well as ongoing updates to keep staff informed throughout the event.  Automated Notification systems can provide a lot of value to your organization in this area.

Test your plan regularly. If you’re not testing your DR process, you may not have one that works. Your backup hardware may have failed, you may be relying on someone incapable of dealing with a disaster, your internet connection may be too slow to restore your data in the expected amount of time, the DR key employee may have changed their cell phone number. There are a lot of things that may break a perfect plan. The only way to find them is to test it when you can afford to fail.

Keep in mind that when it comes to disaster recovery, you’re only as good as your last test. A testing schedule is the single most important part of any DR plan.  The more comprehensive the testing, the more successful a company will be at getting back on their feet.  Also, failing a test is not a bad thing. It is better to find these problems early than to find them during a crisis. Decide what needs to be modified and test until you’re successful.

And don’t forget about testing your employees. The employees that are involved need to be well versed in the plan and be able to perform every task they are assigned. Running simulated disasters and drills help ensure that your staff can execute the plan when an actual event occurs.