How to create a business continuity plan

Business resiliency and business continuity planning

The discipline of business continuity planning (BCP) should be focused on business resiliency, not just on preparing for the worst-case scenario.

Business resiliency draws on effective BCP strategies to ensure that you can minimise or avoid the impact of problems and threats on your critical business functions and return to business as usual (BAU) as soon as possible.

There are always going to be factors beyond your control that might affect your business operations. If you aren’t adequately prepared, a power or communications outage, or a natural disaster such as a storm, flood or fire, can have a catastrophic impact on your organisation – including the health and safety of your employees.

A case in point is the recent severe bushfires, which had a devastating and widespread impact on communications services in NSW and Victoria. In an effort to improve network resilience, the Federal Government convened a roundtable meeting with Australia’s major telecommunications companies and industry organisations to address both the immediate response and also the longer-term initiatives needed to minimise the impact of future emergencies. “While no telecommunications network is 100 per cent impervious to damage from natural disasters, Australians naturally want to be confident our communications networks are as resilient as possible during times of emergency,” said the Commonwealth Minister for Communications, Cyber Safety and the Arts, the Hon Paul Fletcher MP via a media statement.

You need to make sure that your business continuity plan includes all the vital information you need to respond effectively to emergency situations. These high-pressure environments can be chaotic and confusing, so how do you create and maintain an effective plan to stay in control and respond effectively in the event of a disaster? Here are some key factors to take into account when you are creating or reviewing your business continuity plans and readiness.

1. Understand your business impacts and prioritise each business process or function.

A business impact analysis and risk management approach are essential first steps. Be sure about what constitutes your minimal operating base, the amount of time that’s acceptable for recovery of each key process (which will inform your recovery time objective), and that you have identified the various risks and threats to your business.

In terms of impact, you need to consider three types: financial, stakeholder and reputational damage. For example, if your customer service agents can’t answer calls or emails due to an outage in your main contact centre, how many agent seats do you need to have in your disaster recovery (DR) facility to respond to critical customer enquiries?

An insurance company might have assessed that it needs 20 contact centre seats immediately for agents to process urgent claims and payments from customers, but can wait longer to bring its outbound sales agents back online. However, that required seat figure might change depending on the nature of the incident. If it’s a wider scale natural disaster, the insurance company is likely to be fielding a lot more calls from customers. That means doubling or tripling those immediate seats.

2. A business continuity plan needs to be flexible.

Your plan needs to be a guide or codes of practice, not a step-by-step process. You can’t develop plans for every possible scenario or every permutation. You need a plan with the right balance of general and specific detail to arm your emergency management team with information and processes to be able to categorise threats and risks by business function and impact, to prioritise both the safety of your staff and the containment of any damage.

A good analogy is a hospital’s emergency department. Identifying business impact is the critical triage process. That determines what courses of action needs to be taken: how quickly the issue needs to be dealt with, which operational staff and specialists are required, and what equipment or facilities need to be available. From that point, a treatment (BC) plan kicks in to maintain critical functions and minimise any ongoing impact or further damage to the patient (business operations), and a longer-term strategy to restore the patient back to full health (recovery time objective – RTO). These actions might not be spelled out in the plan, because it will be up to the specialists or other third parties to determine the best approach.

3. A business continuity plan needs to be accessible.

It’s important that you have redundant digital storage locations for your plans, and hard copies available as part of your emergency kit at each of your facilities. The key members of your crisis management team aren’t always going to be available to respond. You will want to make sure your broader team, not just your key operations staff, is made aware of your BC plans and has easy access to the documentation.

4. Factor in your supply chain.

Make sure you have considered your obligations to your customers, particularly any contractual or compliance requirements, such as service level agreements (SLAs). If you are providing services to any APRA-regulated customers, they will need to conform with Prudential Standard CPS 232 for Business Continuity Management, which also applies to third-party service providers. Your business can also be disrupted when your business partners are affected by a disaster.

You need to ensure that you have identified your critical suppliers, what might happen if their services are disrupted, who you need to contact in the event of a disaster, and their agreed responsibilities and recovery strategies. These suppliers might also be a good source of support for additional resources or replacement or repair of damaged infrastructure. For any of Interactive’s customers in the financial services and insurance industries, they need to be confident that our business continuity plans and capabilities meet APRA’s objectives and key requirements.

5. Disasters are more likely to be mundane, not catastrophic.

While you need to be prepared for the worst-case scenarios, the most likely cause of your disaster is something smaller or more specific. That might include localised flooding from a burst pipe on the floor above, an evacuation from a suspected chemical or gas leak, or simply that the toilets are out of action. If you have critical business functions that will be interrupted by these occurrences, your business continuity planning needs to kick into action. Another common source of damage is from CryptoLockers and other ransomware that might restrict users’ access to services or threaten to destroy your intellectual property or other digital assets. Your BC plans need to identify key types of cyber threats, the best ways to mitigate or prevent these risks and a process or guide on who best to deal with them.

6. Information technology (IT) should be a top priority.

Organisations typically have a heavy reliance on IT processes for business operations, so restoring these services should be given a high priority in any plan. You should also ensure that your key IT management and operational staff are represented in your crisis management team or identified in your plan. There should be redundancy built in at all potential points of failure so that critical services can be restored quickly. A regular data backup in secured data centers can help businesses to recover their data efficiently in many disaster instances such as cyber-attacks. For catastrophic failures, your organisation should be able to replicate this full operational environment, including the required IT infrastructure and services at a dedicated or shared disaster recovery site.

7. Don’t make any assumptions.

Challenge what’s normal. Plans can come unstuck for simple but unexpected reasons. In a recent example, when an organisation was forced to execute a business continuity procedure which involved key staff logging on from home, they discovered that their Citrix remote access authentication tokens were out of date. Running regular simulations of scenarios like this would have identified and resolved that issue – and potentially a range of other assumptions that might have been made. There’s now a perception that you can run your business from anywhere with a mobile phone and laptop – but can you do this for an extended period? Is it safe for your business?

In the 2011 Brisbane floods, a number of businesses assumed their staff would be able to work from home – however, a lot of workers left their laptops locked up in the office, and others had no power at home.

How can we help with your Business Continuity Plan?

During the Brisbane floods, Interactive helped a number of its clients to stay operational and restore their critical services, but other businesses in the city were severely impacted. In the wake of the disaster, the Queensland Government has published a handy guide that’s a great resource for anyone tasked with developing or improving their organisation’s business resiliency.

If you are starting out on your BCP journey, it might seem overwhelming at first. As a final thought, it can help if you think of BCP as a continuum. Start at a high level by sorting out your critical functions, then refine your plan and get more and more granular as you go. “Fail to plan, plan to fail” – it’s also critical to test your plan and run simulations regularly. That way, you have identified any gaps or single points of failure in your plan and you are ready if disaster strikes. You can have the best business continuity plan in the world, but if you don’t test it, it’s worthless.