Preparing for the Unknown: 4 Key Takeaways When Thinking About Business Continuity
By Renzo Portella, Manager, Technology Risk Services, Aronson LLC
Business Continuity Planning (BCP) practices have been around for many years, however, unless required by a specific management action, customer mandate or applicable regulation, many organizations tend to drag their feet when it comes to implementing formal business continuity processes. Given the level of efforts required to understand and implement appropriate contingency processes, this is understandable, but organizations that fail to adequately plan for disruptions often find themselves in reactionary/chaos mode when a crisis interrupts business as usual.
Per the Insurance Information Institute, 40% of businesses impacted by disaster never reopen their doors. Only after an earthquake, data breach, government shutdown or similar disruptive event occurs do organizations ask:
- How can we verify the safety of our personnel and assets?
- Who do we need to contact?
- What are our immediate next steps within the next 48-72 hours?
- My data was backed up, right?
- How do we resume business as usual?
If an organization hasn’t yet developed a thorough business continuity plan, now is the best time to start. The webinar The Necessity for a Business Continuity Plan focuses on addressing these and other important questions associated with planning for the unknown to help you prepare for, and protect your organization from, a disruption.
What is a BCP?
In short, BCP encompasses what actions your organization takes to be prepared in the case of a business disruption event occurring and how to recover efficiently, effectively and securely. When thinking about BCP, it is helpful to note that BCP includes:
- Creating standards
- Documenting plans (at business line and/or site level)
- Educating personnel on those plans
- Testing plans on a periodic basis
- Continuous monitoring and refresh of risks identified and addressed via BCP documentation.
Crafting of the overall BCP process will differ based on risk appetites, industry, compliance requirements, and management approved standards.
The Necessity for a Business Continuity Plan
Who Needs a BCP?
In short, everyone. Even the smallest businesses could benefit from having business continuity and disaster recovery plans to recover from a disruption. For instance, if a power outage hits a firm’s physical office and there is no emergency backup power, personnel who have already been trained on business continuity planning know the following:
- Processes for checking in with management, and downstream communication processes with customers and clients during outage if necessary.
- Steps needed to maintain productivity, connectivity and access to redundant information systems (e.g., cloud backups).
- Processes and tools to track employee time and what is charged during the length of the disruption.
- How to coordinate and communicate with management and information technology resources to determine next steps, and when resumption of normal operations can be expected.
- Processes to check for adherence to contractual obligations and communications processes for handling customer updates.
- Any steps required on their part to help return to normal operations.
If properly implemented BCP or disaster recovery processes are in place, business and customer impacts will be minimized. Business continuity and disaster recovery plans should be crafted at a level that covers any general business disruption, and also addresses key scenarios that could impact your organization, with special considerations based on corresponding industries, geographical locations and regulatory requirements.
What About My Supporting Information Systems?
As one can imagine, unless your business is running on all pen and paper files, information systems will play a key role in being able to perform daily business processes. A disaster recovery plan should accompany your BCP. A disaster recovery plan defines how information systems are configured, used, and how they should be restored during a business disruption. Information technology teams are normally heavily involved in crafting disaster recovery plans, but business lines utilizing those tools are responsible for establishing which data and systems are critical to operations and must be restored.
Data required to be restored to the system must also be noted and backup schedules and processes should already be in place (if you are not currently backing up your system data, that needs to change). To get your business back up and running in a timely, secure manner after a significant disruption, including having all the tools, software, and data needed to do your job, a robust disaster recovery plan will be key.
Where Do I Start?
Identify key business areas and corresponding risks. Without determining the key business areas across your organization, continuity and data recovery will not be effective. Areas to examine are processes and procedures, roles and responsibilities, and business critical operations. A business impact assessment (BIA) should be conducted to identify business areas, as well as provide information about risks specific to each area.
Develop and standardize policies and procedures. This is key in setting the tone for your business. Senior management must ensure that the importance of these efforts are communicated consistently across the organization and enforced. Creating and distributing a formal document to personnel is an effective way to educate employees about how to incorporate BCP considerations into everyday tasks.
Draft a BCP and disaster recovery plan and implement an execution strategy. After your BIA is complete, it is time to start drafting concrete plans with detailed recovery steps at both operational and information technology system levels. Requirements and details to include in each plan will be based on methodology and standards created by management, as part of the policy and procedure creation process. The final solution should be based on the potential risk of an event occurring, the risk level management has agreed to accept, and applicable budget/spend considerations.
Test BCP and disaster recovery processes. Imagine trying to recover a database, only to find that the individual attempting the recovery does not have appropriate system access to make changes. This is why testing is critical to ensure recovery activities can be performed as intended and within time frames specified by the business. A BCP/disaster recovery policy should contain the requirement to execute periodic plan testing, noting the minimum level of testing to be conducted, and how to document and report evidence of the testing performed.
Continuously monitor BCP and disaster recovery processes. Business continuity and disaster recovery plans should reside in living documents, requiring periodic reviews and updates based on changes to organizational structure, business processes, and information technology environments. These documents should be reviewed on an annual basis or when significant changes occur.
An investment of time and resources upfront can yield powerful returns when a disruption arises. A solid BCP provides management and customers with peace of mind that an organization is equipped to handle a crisis without compromising the quality of service the internal and external partners are accustomed to.
Want even more direction on crafting a solid business continuity plan? Watch the webinar The Necessity for a Business Continuity Plan, the latest installment in the partner expert webinar series Navigating No-Man’s Land: From Small Business Set Asides to Full & Open Competition.
About the Author
Renzo Portella, CISSP, CISA, is an experienced technology risk and compliance manager in Aronson LLC’s Risk Advisory practice. With more than 10 years of experience, Renzo delivers comprehensive and risk-based approaches to meet the goals and missions of his clients. He has delivered impactful results for clients of all sizes on matters related to financial, compliance, operational and IT risks and controls. Renzo is responsible for establishing risk and control framework for organizations in order to use to meet internal audit, regulatory, operational, and key stakeholder demands.
- Business Development
- Business Infrastructure
- Contract Management
- Cost Management
- Costs and Expenses
- Deltek Clarity
- Deltek Costpoint
- Deltek Insight
- Earned Value Management
- Enterprise Resource Planning
- Financial Management
- Firm Management
- Government Contracting
- Human Capital Management
- KPIs and Analytics
- Project and Portfolio Management
- Project Management
- Resource Planning
- Risk Analysis
- Scheduling and Planning
- Small Business
- Talent Management
- Time and Expense Management