The topic of business continuity planning has been much on my mind lately. I’ve had several clients ask about it or begin the process,so I’ve been digging deep into information security frameworks that require BC/DR plans - an important part of an organization’s overall cyber security health.
What is the difference between Business Continuity (BC) and Disaster Recovery (DR)?
First, I need to define what I mean when I write “business continuity.”
I’m referring to the ability of a business to continue its essential functions in the face of a disaster. This is different from disaster recovery, which I define as more related to restoring interrupted services than ensuring a smooth flow of services.
Also, note in the previous paragraph that I described BC planning as a process. A good BC plan is never "done," but rather is tested and revised at least once a year.
Why Do You Need a Business Continuity Plan?
Some firms have to do business continuity planning to comply with industry regulations or because their auditors require it. That’s a good enough reason, but it’s also a valuable activity for any SMB. The obvious benefit, of course, is that you’ll have a process for dealing with a disaster.
There are other benefits however, including:
- Learn and document what services and functions depend on others. This can help you identify where you need to invest in redundancy and where you can save. The results might surprise you!
- Collect emergency contact information for your teams.
- Compile a complete inventory of critical infrastructure.
- Identify critical individuals that you may not have realized were critical. The facilities worker who has the only key to a storage room, or the one person with the login to process payroll are two examples.
Steps to Create a Business Continuity Plan
Following are the basic steps to creating a business continuity plan, but please reach out to us for more information, as this only scratches the surface!
Step 1. Identify the scope and objectives of the plan, along with budgetary requirements.
Step 2. People! You'll need to gather the right group to form your business continuity team, and define the roles and responsibilities.
Step 3: Conduct a Business Impact Analysis (BIA) so you can predict the potential impact on your business. This will help when it comes to creating strategies that will be adopted by the company during recovery.
Step 4: Based on the BIA, your team will identify response and recovery strategies that will address the disruption. For every critical function, process or service, there should be a corresponding continuity plan.
Step 5: Time to document! All details should be compiled and documented, which may take a few drafts with adjustments along the way, before you get to the final.
Step 6: Your documented emergency response and recovery strategies need to be communicated to the organization, and then tested through drills and other exercises. This is an opportunity for course correction.
Step 7: Business continuity is never "done." Since testing and evaluation needs to be done on a continual basis, you should expect your BCP to be updated regularly.
If you would like to explore creating a custom plan for your organization, reach out to us by clicking below and we can set up a time to answer any questions you may have.