The act of business continuity planning and implementation is not exclusively owed by large multinational corporations as many small business owners do think. Business continuity process is a life cycle process that every business must embed into the overall business strategy if they are to survive disasters when one occurs. The aim of business continuity planning and business disaster recovery planning is to ensure that risks that are associated to disasters and disruptive events are reduced or eliminated if possible.
Risks are identified and mitigated against through changing the way things are done or by enhancing existing business technology management processes. Research has shown that organizations do benefit from BCP OR DRP even when the disasters prepared against never happen. Companies see immediate improvement in business processes which in turn improves customers reliance on the governance of a business and this usually translates into more businesses,
Example of disasters that a small business can prepare against include: volcanoes, wildfires, earthquakes, tornadoes, flooding, tsunamis, pandemic, utility outages, security incidents, political unrests, dangerous material spill, etc.
Impacts of disasters on small organizations include the following; dampening of staff Morales, loss of customers’ confidence, direct and indirect financial loss, shortage of materials, etc.
This article is written to explain the process of small business continuity planning process that can be implemented by a company of any size within budget.
The BCP process
There is no any hard and fast rule behind planning for disasters and rainy days. However, there are simple best practices that have over the years proven to be fairly applicable to all kinds and size of entities (commercial and non-commercial). The universally accepted starting point for any business continuity plan is to firstly gain a working understanding on the organization. This is important as it will lay a very solid foundation that every other components of good business continuity plan are built upon.
Development of BCP policy that is compatible with the overall business objective: no strategic operative strives without been backed up by a full-fledged policy document. In today’s highly integrated and connected networked business environment where activities no longer work in silos, business continuity planning must be integrated into the overall control framework of a business enterprise. As a must, the scope, timing and nature of a BCP must be contained in the policy document.
Conducting an effective and relevant business impact analysis (BIA): business managers leverage on the useful feature of scenarios to have a feel of what would happen to a business given certain conditions. The first step in a meaningful impact analysis is the performance of stock taking and inventory analysis. Through the process of business impact analysis, a complete IT and non IT asset register is developed.
Perform sensitivity and criticality analysis: based on the business intelligence gathered from the BIA, companies study’s the relations that exits between identified assets and then establish or estimate the impact that damage to any of the identified assets would cause to the overall business and its objectives. Sensitivity analysis or criticality analysis makes reference potential threats.
Set recovery targets: the main purpose of going through the hassle of having an actionable business continuity plan is to minimise the time it takes for a business to recover from an unfortunate event and what it costs the business in monetary value. Targets for recover point objective (RPO) and recovery time objectives (RTO) are set after considering other unique circumstance of a business.
Develop an actionable continuity and recovery analysis: this is where detailed continuity plan is designed and developed. The choice of what kind of recovery strategy to be adopted is made at this stage. Small businesses generally make use of warm site to backup business critical events. The cold or hot site strategy can still be used by small businesses but, the down side of using those business recovery strategies is high and therefore should be given a second thought before implementing.
Perform a test on the plans: testing is in fact the most important step in the business continuity planning process. Although tests will not provide real life scenario but, it is still the best assurance that managers will get regarding the resilience of the intended backup system.
Maintain, monitor and control strategies through reviews and feedback: feedback must be obtained from business and security incidents. That is the only way the enterprise can learn and improve on the already existing process of sealing with disaster. A good example of monitoring and feedback stage of BCP is where a company examines what went wrong in implementation of enterprise resource planning project. Vital hindsight information is acquired simply by reviewing the whole process of a just contained incident.
You would have at this point noticed that business continuity planning process is a journey and not a destination. In other words, BCP process is a continuous activity which ensures that organizations are continually prepared for any unforeseen circumstance. A common mistake made by most failed businesses is that they neglect the importance of having a functional business planning in place.