I have been surprised to discover how few businesses or organizations have a business continuity plan. Without one, businesses and organizations find themselves in danger of collapsing when negative events with a large impact occur.
The disaster recovery plan (DRP) and business continuity plan (BCP) often come as a bookend set. They serve two different purposes, but frequently work in tandem. The disaster recovery plan details how a business or organization will respond to an unplanned event like a natural disaster or a widespread-extended power outage. The business continuity plan provides the steps required to keep a business or organization operational during an event. This may only be a partially functional status. Many of us experienced the deployment of BCPs during the immediate aftermath of the Covid-19 lockdown. Until then, it was not uncommon to never see your organization’s BCP. Unless something happened, no one saw the need to review or discuss them.
The BCP identifies roles and responsibilities, communication procedures, and testing and training. The roles and responsibilities listed are for the key leaders of the organization’s business continuity strategy. These roles will be a mix of executives, managers, and technical and operational personnel. For a response to be truly comprehensive, representatives from all the organization’s functional areas must be represented in the BCP. The communication procedures in the BCP should give clear details regarding communication media to use given the type of event that has happened. It should also be clearly specified who will send communication to those within the organization and anyone outside the organization. The information to be included in these communicaes needs to be detailed as well. These are emails to employees and contractors and press releases and posts on social media. The BCP will do no good if it has not been tested and people are not aware of the roles they are expected to play when an event occurs. For this reason, there should be testing of and training on a BCP. The testing helps a business or organization determine if the BCP does what it is expected to do. The training helps everyone involved in deploying the BCP understand the role they play and how they need to coordinate their efforts with others.
The business impact analysis (BIA) determines ramifications of a variety of events on an organization. The document helps to shape parts of both the DRP and the BCP. I would be remiss if I did not at least mention it here. The BIA is a written valuation of damage, in various forms, that may be suffered from various events.
Comments