Whilst business continuity is often described as ‘just common sense’ it is about:
- creating a holistic management process that identifies potential threats to your organisation and the impacts to business operations those threats, if realised, might cause, then
- developing a business continuity plan which includes a framework of effective response to ensure that your business can continue operating with the minimum of disruption.
The list of possible potential threats is depressingly endless. It includes:
- natural disasters, fire and flooding
- damage to critical infrastructure such as major machinery or computing networks
- theft from internal as well as external sources, of goods and data
- loss of power and its impact on systems, production and data
- supply chain disruption
- loss of key personnel either through illness or resignation
- strikes and protests.
Once all the potential risks have been identified, the next step would be to carry out a business impact analysis to assess the affect each would have and prioritise its critical importance to the business.
This would be followed by a recovery plan for each risk setting out what needed to be done, by when and the costs involved. At this point the senior management team would need to consider its position if costs could not be met or the situation remedied within an acceptable time frame.
Once the business continuity plan is completed, it should be tested by means of introducing a number of impact scenarios and assessing how the relevant people react. Scenarios can be:
- Tabletop exercises which typically involve a small number of people and concentrate on a specific aspect of a BCP. They can easily accommodate complete teams from a specific area of a business. Another form involves a single representative from each of several teams. Typically, participants work through simple scenarios and then discuss specific aspects of the plan. The exercise consumes only a few hours and is often split into two or three sessions, each concentrating on a different theme.
- Medium exercises are conducted within a “virtual world” and bring together several departments, teams or disciplines. They typically concentrate on multiple business continuity planning aspects, prompting interaction between teams. The scope of a medium exercise can range from a few teams from one organisation co-located in one building to multiple teams operating across dispersed locations. The environment needs to be as realistic as practicable and team sizes should reflect a realistic situation. Realism may extend to simulated news broadcasts and websites and typically involve a “Scenario Cell” that adds pre-scripted “surprises” throughout the exercise.
- Complex exercises aim to have as few boundaries as possible and incorporate all the aspects of a medium exercise. The exercise remains within a virtual world, but maximum realism is essential. This might include no-notice activation, actual evacuation and actual invocation of a disaster recovery site.
Whilst all this may seem excessive, those businesses that have effective business continuity plans and regularly update them, generally survive!