The Importance of a Robust Business Continuity Plan

A strong business continuity plan (BCP) is a crucial part of an organization's response to potential disruptions in its operations. By developing strategies to respond to disruptive events and maintaining operations or business recovery in a timely fashion, an organization can minimize the risks to its continued operations, reputation and stakeholders.

Disruptions to an organization's operations can occur due to a myriad of reasons, from power outages, technological system failures or cybersecurity breaches, operational issues (availability of key staff, critical processes, accessibility to facilities or suppliers) to national and global events such as natural disasters (earthquakes, floods, wildfires) or a pandemic such as the current COVID-19 crisis.

Planning is an essential part in the development of an organization's BCP. A well thought-out BCP outlines the main steps an organization will take to respond to or minimize the impact of the disruption. In order to mitigate the effect of a disruption to its operations, an organization should consider the following during the planning phase:

• A risk assessment done by each business unit assessing its exposure to a disruptive event.
• Identification of critical business processes, the people and teams who will be responsible for the continued operation of those critical processes.
• Which processes, operations and/or team can be temporarily suspended if necessary, and for how long?
• Can the organization function with a minimal number of employees; if so what is that number?
• Where should the disaster recovery site be located? Will it be accessible to critical employees in a business continuity situation? How many employees can it accommodate? Does it have the technological systems and infrastructure to support the critical processes? Does it have appropriate safeguards in place to protect the organization's staff and networks?
• Does the organization support work from home through technology, policies and management? Are the technology systems and infrastructure capable of supporting the increased demand from a remote access scenario?
• Identification of mission critical outsourcers and vendors. Has their preparedness been validated if they are also impacted? How will they notify the organization if they are impacted? Is there an alternative if they are unable to perform their function?
• Which communication method to use to effectively communicate with employees, clients, regulators, vendors and other stakeholders? Who is responsible for communication? How frequently does the communication occur?

These are just some of the considerations that an organization must take into account when developing its BCP and is by no means exhaustive, given the wide array of potential disruptive events. As such, a flexible and comprehensive plan is a must.

Similar to planning, regular practice and testing of the plan provide valuable information/data that can further strengthen the BCP. For example, a remote work exercise, where the critical processes are performed at the disaster recovery site, may identify gaps in the plan or the need for workarounds to accomplish tasks. Similarly, testing of the remote access to the corporate network may uncover the need to enhance network capacity in order to support the potential increased demand. By practicing and testing the BCP, an organization increases its preparedness in the event of an actual disruptive event.

In general terms, an organization's BCP, regardless of its size and/or industry, should be simple and easy to understand and implement; should prioritize critical business processes and efficient allocation of resources; and should be tested and validated regularly. Lastly, the BCP is a living document; an organization must not treat it as a one-time process. Therefore, continued monitoring and review of its effectiveness ensures that when the need arises the plan will meet the needs of the organization.