Having a business continuity plan can prepare you for the uncertainties of situations like pandemics, floods, and other catastrophes outside of your control. A business continuity plan is a detailed set of proactive measures to help a company prevent and recover from potential threats if they occur. Below are the areas we have explored with our clients as they develop or improve their business continuity plans and incorporate their pandemic responses.
Who should be in the room to help build the business continuity plan?
The right stakeholders can range from management to frontline operators. It’s important to have all of their perspectives on what’s going on in your operations to gain a collective understanding of the whole system and its interdependencies. Doing this exercise as a unified team, best conducted with a professional facilitator, will help determine if there are overlaps or gaps in responsibilities and helps eliminate a false sense of security of who is looking after what while highlighting resources and the availability of inventory and supplies. It’s crucial to understand the processes, where everything is, and if there are redundancies. This team identifies the critical path areas and roles and responsibilities (e.g., determine who is accountable, responsible, consulted, or informed for critical areas) essential to keep operations going in the event of an interruption.
How do I know what may threaten those critical areas?
Conduct a business impact analysis (BIA) and a threat and vulnerability assessment with your unified team. A BIA will help you identify your critical processes and points of failure in your current structure and understand your priorities to keep your operations and services going.
Gather intelligence on the potential threats and hazards. Information sources can include your unified team, insurers, historical data with disaster forecasting, and recent events that have impacted similar operations as yours. Threats can include natural or man-made disasters, be of internal or external origin to the organization, or even be a result from a combination of unlikely circumstances. Keep in mind new threats may be developing during the COVID-19 pandemic that were not yet considered, so be ready to check and adjust.
How do I know which threats could have the most impact on my operations?
You’ll want to conduct a risk/impact analysis to understand the potential extent of impact that threats could pose to your critical areas. To understand the risk of threats, consider assets and areas where risk resides such as in your processes, policies and procedures, communications, technology, employee health and safety, facility and staff locations, supply chain vulnerabilities, and customer interfaces. This can be done with your unified team by conducting interviews and observations with them as well as going through scenarios in a non-threatening environment to practice and think through various simulated situations.
How do I mitigate those threats?
You can start by prioritizing prevention and mitigation efforts to reduce the impact of the most to least severe threats based on your risk assessment. Once you’ve identified those risks that could have the biggest impact on the time it takes for operations to return to normal, you can start to develop risk mitigation controls to lessen the impact. Not all threats will need the same attention. Risk-control measures typically define where you will accept, manage, reduce, or plan for each risk. Risk-control measures should be based on your BIA.
What if the risk controls are not enough?
Because BIA and risk assessments are qualitative in nature, you will also need to think about recovery plans and incorporate them into your business continuity plan. Determine recovery time objectives (RTOs) and recovery point objectives (RPOs). RTOs establish an agreed-upon amount of downtime that can be experienced without having critical business impact. RPOs define the amount of time in which data may be lost in between backups that are critical to operating. RTOs and RPOs need to be considered during the BIA and risk assessment exercises to develop the best response to recovery of your business.
The threats and risks that your business faces constantly change and therefore your business continuity plan needs to be a living document that accommodates evolving threats and risks. Your business continuity plan needs to be reviewed, updated, and communicated on a regular basis to ensure it remains relevant.
A business continuity plan can differentiate your organization and protect your reputation with investors and customers. Many contracts require that your service or product be there through any supply chain fluctuations. By looking at your operations as a whole, you can mitigate the risks to deliver and start functioning again when any disaster strikes.
To learn more about how we have helped clients update or initially prepare their business continuity plans, contact your H&A team, or reach out to our business continuity experts below.
A business continuity plan allows you to:
Corporate Health and Safety Manager