What is a Business Continuity Plan and Why your Company Needs One?

Disasters and disruptive incidents are unpredictable and have high chances of interrupting the regular flow of a business. Studies show that 93% of companies that experience a disaster, without a recovery plan in place, go out of business within a year. A business continuity plan refers to the ability of an organization to keep functioning according to the pre-defined levels even after facing any uncertainty. 96% of companies that experienced something as fatal as a ransomware attack but had a recovery plan, survived.

There are chances of companies confusing the Business Continuity Plan with a disaster recovery plan due to some of their similarities. Unlike disaster recovery plan, which is often counted as a part of the former, BCP also focuses on minor interruptions such as power outages or changes in location. Organizations can therefore adopt certain measures and decide which steps should get included in a BCP and how to securely buy in for the business continuity policy from key enterprise leaders to prepare themselves for disasters in terms of communications to employees, suppliers, customers, and other stakeholders.

What Should a Business Continuity Plan Include?

Regardless of your business type or industry, your business continuity plan should formally include the following:

• BCP Scope: This includes all the equipment, devices, supplies, and personnel that get affected by the outlined emergencies as well as the staff members who use these resources the most.
• BCP Domains: The business-critical risk areas or departments and members whose roles and responsibilities come under the business continuity policy scope should be included in BCP domains.
• BCP Teams: Teams include formal leaders and decision-makers in the advent of a business emergency as well as the contact information of all relevant emergency responders and support personnel.
• BCP Documented Workarounds: The employees must be trained on what they should do when a typical business process gets disrupted using these official documents, go-to action guides, and procedures, including backup tools and technology to use.
• IT-related Disaster Recovery Methods: This includes the data backup and recovery systems the company chose to preserve and access proprietary data during emergencies, including on-premises backup devices, self-managed cloud storage, outsourced cloud storage, or a hybrid data solution.
• BCP Managed Service Provider (MSP) Contracts: The contact information of an outsourced third-party vendor should be preserved to request assistance during the time of emergency.

Steps to increase resilience and successfully survive a crisis

Here are some vital actions that small businesses should consider increasing their resilience and likelihood of surviving a crisis:

1. Make a list of all the possible setbacks
   Disaster scenarios may include loss of power, extreme weather & natural disasters, customer/employee accidents, and other issues. The first step is to set up a communication plan for all the different possible scenarios, as it can vary depending on the situation.
2. Develop a crisis communication plan
   There can be various levels of legal formalities and documentation for small/medium businesses and established corporations. In that sense, the communication plan can work as a guide or checklist, with the priority placed on enforcing an easy-to-follow procedure during various potential emergency scenarios.This plan should include the following checklist of communication:
   – Internal stakeholders such as your employees, attorney, insurance agent, vendors/suppliers, banker, etc.
   – External stakeholders such as your customers, law enforcement, fire department, emergency responders, and other agencies may be involved.
   – Pass on the information to the stakeholders by maintaining a list that contains their names, email addresses, and phone numbers.
   – Make plans to use the phone, email, texts, social media, or any other effective way to communicate the details.
   – Set up ease of communication so that the external stakeholders could reach out to you for any help or urgent requirement.It is essential to be prepared with an updated call or greeting message that could inform all the clients that your business is in running conditions. If you are the only service in town offering something while everything else is shut down, your customers should get aware of that. It is necessary to set a mode of communication for contacting you and have a brief response that says you are in business – “We are open!”
3. Have a medium for sending employee alerts
   Today, the most affordable and convenient alerting medium that any small business can use is social media. It would be helpful to set up a Twitter account to pass on updates or create a Facebook group in which all your employees and internal stakeholders are added. When you face a storm like Sandy, you can use the social media channels to send out a quick message to all your employees telling them not to report to work. You can also use it to get information about your employees during or after the storm.
4. Identify roles and responsibilities
   It is in the best interest of every organization to pre-decide all the roles and responsibilities such as who initiates the alert, who communicates with the media, who deals with the lawyer, etc. As the owner, you may want to get involved in all the conversations, but it is advisable to designate individuals for all such roles.
5. Backup your contact list
   It is recommended to safeguard all your contacts, such as through the means of Facebook groups. You can also keep an emergency contact list on your computer by regularly backing it up on a USB drive and keeping some printed copies as well. Having only one communication channel as the single point of contact could result in losing all the connections at once during a disaster.
6. Update content on the website
   Most of the web platforms offer self-service capabilities where you can log in easily and quickly post a message on your homepage. Make sure you or someone you trust have credentials and are trained to update the content on the webpage.
7. Test your plan
   This is a phase that most small businesses overlook. Whatever plan you create, make sure that it is tested at least once if not more. You can start with conducting a mock drill, testing your alerting channel, and then using these learnings to make improvements to your plan. When tried and tested a couple of times, your stakeholders will automatically get familiar with what to do and you will be able to execute your plans with a fewer number of human errors.

The goal of a BCP is to mitigate the damage and reinstate operations before any of the above scenarios become existential business threats. Even small-seeming events like a storm damaging physical building infrastructure can trigger consequences affecting other core business domains. For example, consider the effects of a tornado that destroys the only third-party warehousing service you use to store your inventory or a ransomware attack holding hostage your customers’ payment and account information.

When such incidents strike, a business continuity plan outlines what to do, when to do it, and who takes care of it, mitigating the risks and keeping the business above water.

Role Played by SISA

SISA, having decades of experience in the information security domain, can help you successfully create and implement a reliable Business Continuity Plan. It offers globally trusted services such as conducting gap assessment, remediation support, and completing final assessment for you to achieve ISO 22301 certification. SISA can also help you validate your BCP and make it resilient for your business to keep functioning during and after any crisis.