How to design a practical BCP that will work for your business
Part II of our Business Continuity Planning guidance.
When looking at the practical elements of a business continuity plan, it’s important to look at both the IT aspects of the business as well as the non-IT areas. Think of it as a holistic plan that covers all areas of your business.
The key things to consider for any BCP are:
Incident management – anticipate a variety of potential incidents and appoint a single point of contact for every scenario. You should also have a secondary contact person in case the primary contact is not available. You will need to define how the operational structure for incident management will work, as well as identifying other key members of your team who need to be involved in the plan. Areas of the business such as IT and telecoms, facilities management, HR and marketing communications will all need to have their crisis roles defined, mapped out and tested.
Telecommunications – make sure that the communications links between your primary site and secondary site have been established and tested.
Secondary site – Identify what will be needed to bring a secondary site online and fully functional. This doesn’t just need to be physical; it could be a cloud solution, so your team could work from home or various other places in the event of an incident. Applications, data and access need to be considered.
Replication – Plan how your data will be replicated to the secondary site.
Internal communications – -In the event of a crisis, it’s important to keep all staff members informed and engaged. Team members who have regular contact with clients and other external contacts need to be able to keep those stakeholders updated and reassured that business is continuing as usual.
External communications – damage limitation and reputational impact are critical in most crises, so it’s vital that your external comms team is part of the crisis management plan.
The testing phase
Once you have defined your BCP, testing to ensure that it will work is the next stage of the planning process. This phase will include processes, procedures, staff, hardware, software and testing.
You can split your testing into small, medium and complex phases and each will have a different resource requirement.
Tabletop – involves smaller numbers of people, such as a department and they will test a very focused area of the BCP. For example, it could be a test to restore data to an accounts application to prove the backups have performed as expected.
Medium – could involve several departments such as sales and marketing and how the departments would function if the organisation’s CRM system became inaccessable and recovery was required. It could be spun up at another location or worst case, the use of hard copy records to contact customers and prospects.
Full – A complete test of the BCP for the business as a whole. This should be a real-life simulation of a total failure of systems, devices, buildings etc. This will provide a realistic test of the solution and the consequences of a total disaster.
Maintenance and on-going verification
Maintenance is key to keeping systems and processes running. Continual management of the documentation, systems and processes should be performed to keep abreast of any organisational changes that may have occurred. For example, you may change your stock system and move away from manual records to electronic. If the electronic system fails, can you recover the manual records? Any changes to software, process or procedure need to be verified and documented. This will also include updates to contacts and personnel as organisations change and grow.
We all need a BCP
Business continuity is a fundamental requirement for all businesses, no matter what size. The on-going management and updating of this plan is crucial to give your business the confidence to overcome a threat or disaster and the ability to avert a crisis that could cause serious long-term damage.
For help with business continuity planning, contact us