Business Continuity Planning: 5 Smart Steps to Get You Started

  • August 14, 2018
  • Quantivate

How does your organization define business continuity? In today’s corporate environment, continuity planning has to cover more than major natural or man-made disasters. The increasing digitization of business processes means that incidents like technology failures, security breaches, and other disruptions can have just as much of an impact on not only your organization’s critical operations, but also your reputation.

When disaster strikes, responding in crisis mode only leads to poor communication and longer recovery times. On the other hand, enterprise-wide business continuity and disaster recovery plans equip businesses to be proactive and minimize downtime for critical processes.

Did you know? While it’s a common misconception that business continuity (BC) and disaster recovery (DR) are interchangeable terms, DR is a subset of BC focusing primarily on data recovery and other IT-related issues. Business continuity planning is the much more comprehensive process of ensuring all critical business processes remain available during and after a disaster.

Some of the top causes of business downtime include hardware failure, human error, and software failure. And the costs of interruptions and incidents are high—and rising—according to recent research:

  • $100,000+: the average minimum costs resulting from one hour of network downtime (ITIC)
  • $3.86 million: the average cost of a data breach (IBM / Ponemon Institute)
  • 130: the average number of security breaches each year per organization (Accenture / Ponemon Institute)
  • $11.7 million: organizations’ average annual spending on cybercrime incidents and recovery. Average costs escalate to more than $17 million for businesses in the financial services and energy & utilities industries. (Accenture / Ponemon Institute)

Compounding the risk, too few organizations have invested the necessary planning to detect and prevent vulnerabilities—leaving them open to potential disruptions and their associated costs (financial and otherwise, from lost productivity to reputational damage).

So what does it take to build agility and resilience into your organization? We’ve identified five foundational steps that will get your business continuity and disaster recovery plans going in the right direction.

1. Identify & Assess

The first step is to identify and prioritize your most critical and time-sensitive processes, gauge their impact on your organization, and project the risks and consequences of those processes becoming unavailable. Two activities that streamline this procedure are businesses impact analyses and risk assessments.

Business Impact Analysis

A business impact analysis (or BIA) maps out your company’s processes and how they influence operations. This interview-based analysis gathers information across the organization to identify both operational and financial impacts that could result from business disruptions. Impact categories to consider might include:

  • Lost or delayed sales or revenue
  • Increased expenses
  • Regulatory fines
  • Contractual penalties
  • Customer dissatisfaction or defection
  • Delayed business initiatives

BIAs also involve setting limits on acceptable operation levels following an incident, according to two metrics:

  • Recovery Time Objective (RTO): the maximum amount of time a resource can be unavailable
  • Recovery Point Objective (RPO): the maximum amount of data an organization can afford to lose or recreate

Lastly, the BIA will help you determine criticality tiers, or the order of restoration for your most essential processes and services.

Risk Assessment

Risk assessments identify threats and vulnerabilities that could lead to business interruptions. They also project the potential consequences of disruptions to assist with recovery planning.

Most risk assessments involve a three-step process:

  1. Identifying potential threats: natural disasters, power outages, pandemic disease, vendor failure, cyber attacks, etc.
  2. Determining which assets would be at risk: considering business locations (property, systems or equipment, etc.) as well as business processes (related to core operations, information technology, etc.)
  3. Analyzing possible repercussions: through assessing what controls are in place to address risks

An effective risk assessment generates actionable recommendations for preventing disruptions and increasing the availability of your most important operations.

The combined results of the BIA and risk assessment provide a launching pad for informed decision-making about continuity and recovery priorities.

2. Define & Document

With a business impact analysis and risk assessment completed, you can now build on that information to define your priorities and document disaster procedures in a variety of categories.

Some to consider include:

  • Continuity of operations
  • Application disaster recovery
  • Platform recovery
  • Server recovery
  • Data center recovery
  • Crisis management

Pro tip: BC/DR plans too often turn into piles of paperwork or digital files that no one knows where to find. Upgrading your documentation to a centralized, digital BC platform ensures that important documentation is kept together for easy access and maintenance.

3. Test & Refine

Testing, or exercising, your business continuity plan confirms that your procedures will work in practice, not just on paper.

Most importantly, scenario-based testing identifies gaps between your organization’s continuity and recovery requirements and your current capabilities. But it also provides other benefits, including:

  • Documenting compliance
  • Clarifying staff members’ roles and responsibilities
  • Practicing emergency procedures
  • Providing opportunities for training and education
  • Improving communication and coordination between departments or business units
  • Collecting feedback for program improvement

Similar to its counterpart in the world of physical fitness, exercising your preparedness program will help improve the strength, agility, and overall health of your business.

4. Review & Update

Annual reviews are a common approach, but don’t just run your exercises and call it done. Out-of-date or incomplete continuity and recovery plans won’t be helpful if something goes wrong. To avoid getting caught unprepared, make sure to update your plans to reflect any business changes, new systems or infrastructure, new regulations or internal policies, or other developments.

Some options for reviewing your plans include:

Tabletop exercises: Discussion-based sessions where teams talk through their response to certain scenarios and assign roles and responsibilities in case of an incident.

Walkthroughs or workshops: Training for staff members to familiarize themselves with BC/DR plans, emergency responses, communication plans, or other procedures. This is also a valuable opportunity to collect feedback and suggestions for improved plan implementation.

5. Automate & Eliminate

Automating repeatable tasks like tracking risk exposure, monitoring regulatory changes, distributing updated plans, and creating reports frees up time for tasks that require your attention and expertise.

Plus, fewer manual processes—particularly when it comes to response procedures—lessen both think time and the likelihood of human error. Business continuity solutions should offer built-in options for automating and streamlining repetitive tasks.

Why You Need a Business Continuity Plan

If you don’t have a business continuity plan, or it hasn’t been updated in a while, don’t wait until an incident occurs and you’re forced to play catch up. The costs of unplanned business interruptions are too high to risk getting caught unprepared.

The benefits of a comprehensive BC/DR strategy—the assurance that your organization is prepared to withstand and respond to crises—far outweigh the initial setup efforts. Better yet, your organization will have a framework for effective business continuity management well into the future.

Looking to take the next step in business continuity management? Learn more about how Quantivate’s Operational Resilience Management Solution can help you create and maintain comprehensive continuity and disaster recovery plans.

Further reading:

[E-book] Becoming Resilient: Enterprise Risk & Business Continuity Integration

10 Tips for a Successful Business Impact Analysis

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: