What is a Business Continuity Plan?
Every organization, large or small, should have a tested BCP in place. Should disaster strike, lack of a plan causes chaos and can lead to employee injury and death, damage to your reputation, fines for non-compliance, unproductive employees, lost revenues, and financial losses. Having a plan or not means the difference between getting back into business or going out of business. In fact, 75 percent of companies without a BCP fail within three years of a disaster. According to the Institute for Business and Home Safety, an estimated 25 percent of businesses do not reopen at all following a major disaster.
What Happens Without a Business Continuity Plan?
As a business owner or business executive, you should understand how much it can cost your business if operations cease. For example, the International Data Corporation (IDC) reports these typical costs for a Fortune 1000 company:
- The average total cost of unplanned application downtime is $1.25 billion to $2.5 billion per year
- The average hourly cost of an infrastructure failure is $100,000 per hour.
- The average cost of a critical application failure per hour is $500,000 to $1 million
For small to medium-sized businesses (SMBs), the estimated cost of downtime ranges from several hundred to many thousands of dollars a minute. How much it might cost your company depends on the nature and size of your business. You need to factor in all the following to calculate how much it will cost you if your business ceases operations:
- Lost revenue
- Decreased employee productivity
- Stressed employees, especially IT manpower
- Dissatisfied customers
- Brand damage
- Potential legal penalties of regulatory non-compliance
- Compromised service levels (both internal and external)
Who Should be Involved in Business Continuity Planning?
A Business Continuity Manager (BCM) is initially identified to assemble the team and lead the development of the plan. This individual must have the support at the highest levels of an organization to be successful. This means that the program must have an executive sponsor and senior management involvement via a Steering Committee. Experience demonstrates that BCP programs with executive sponsorship are more likely to meet their recovery time objectives (RTOs) than those with no executive sponsorship.
The BCM selects individuals from across the organization to join the team. Selections are based on an analysis of what types of unforeseen events can occur, whether it is natural disasters or weather-related events, fires, threats to employees or the facilities’ perimeters, sabotage, employee strikes, IT events, equipment failures, malicious software attacks, data breaches, employee safety issues, supply chain interruptions, power outages, property damage, property theft, product safety issues, social unrest or terrorist attacks, management or company reputation-related scandals, death or unexpected departure of a top executive.
BCP team members typically include:
- Executive sponsor
- Business Continuity Manager
- Security Officer
- Chief Information Officer
- Key vendors and partners
- Department-specific leads, which include:
- Risk Management/Compliance
- Customer Service
- Facilities Management
- Public Relations and Employee Communications
- Human Resources
- Information Technology
What is the Difference Between Business Continuity and IT Disaster Recovery?
While most people talk about business continuity and disaster recovery planning in the same breath, they are different plans.
A Business Continuity Plan provides the direction to ensure the organization maintains or resumes business after a disaster, establishing recovery point objectives (RPOs) and RTOs to resume company operations. It maps out processes and procedures to activate emergency evacuation and the plan itself and identify roles, responsibilities, and contacts. It ensures employees have a safe, temporary place to work (if necessary) with access to the systems, applications, and phones to do their jobs. It ensures key business processes are up and running, internal and external communications are resumed, the website is up and running, and other crucial operations continue uninterrupted.
An IT Disaster Recovery Plan is a subset of the overall Business Continuity Plan. This plan is intended to recover technology services such as systems, networks, and data to the “employees’ desks.” The Business Continuity Plan then takes over to get employees back to work at their “desks” with all the other tools they need to resume normal business operations.
If you need assistance in developing an IT Disaster Recovery Plan, download “How to Effectively Budget for IT Disaster Recovery.” This document discusses IT risk preparedness and provides a straightforward budgeting approach for estimating the cost of effective disaster recovery and IT continuity for your unique infrastructure.
If You Don’t Have a Business Continuity Plan, Start Today
If you are not a company executive, your first action is to get executive sponsorship for a BCP. As a start, forward this article to all your executives to initiate discussion. Once there is executive sponsorship, consider hiring a consultant to assist in developing your plan, if your budget allows. Alternatively, search online for a downloadable plan template that can help guide you through the process.
Consider and prioritize the type of disasters that most commonly affect your type of business and formulate your plan to address those first. Most importantly, be sure to test the plan regularly to ensure you have working processes in place to mitigate potential disasters.
Once you’re drafted your Business Continuity Plan, keep in mind that just as your business continually evolves, so must your plan. For more information about why your plan must always be updated, review “Are You Sure Your Business Continuity Plan Still Works.”
A Business Continuity Plan is vital to keep your business in business should disaster strike. And be forewarned, disaster will strike. If you haven’t had a plan in place and have not yet experienced any type of disaster, consider yourself lucky. No company is immune from natural disasters, such as a fire or extreme weather catastrophe. Perhaps more importantly, human-made disasters — ransomware, malware, and other such hacker attacks on business data — are on the rise at an alarming rate. Every company needs to take proactive steps to protect against potential disaster. Just as importantly, every company needs to prepare to get back in business when, not if, disaster strikes. To do this, you need a tested and updated BCP in place, including an effective and well-document backup strategy.
If you don’t have a BCP, you need to get started putting one together today, if not sooner.