When you begin your BCP (business continuity plan) project, it’s a good idea to produce a checklist of tasks. This helps you stay on top of your progress during what will almost certainly be a long process.
To give you an idea of what your business continuity checklist should consist of, we’ve created this three-step guide.
1) Assemble the team
You’ll want a team of employees to take primary responsibility for the BCP. You must, therefore:
- Decide who has the skills and experience for the project;
- Make sure every department is accounted for;
- Appoint a team leader; and
- Find a way for them to manage their current role with their new responsibilities.
2) Determine the scope of your BCP
The next step is to decide what incidents your BCP will prepare you for. To do this, you must:
- Conduct a risk assessment; and
- Conduct a BIA (business impact analysis).
Risk assessments involve a review of your organisation to determine the types of incidents that might cause disruption and their likelihood of occurring.
A BIA enables you to identify your crucial business processes and resources and assesses the impact of their disruption over time. From this, you can determine your disaster recovery timescales and priorities.
The risks you’ll face will depend on your setup and location, but here are a few things most businesses should consider:
- Breaches to the physical perimeter.
- Cyber attacks leading to data loss.
- Cyber attacks that compromise the availability of data (ransomware attack, etc.).
- Fire damage.
- Water damage.
- Extreme weather (snowstorm, tornado, etc.).
- Technological failures (power cuts, corrupted data, etc.).
You can assess the potential impact of each incident by asking a series of questions about your activities, technologies, resources and staff:
- Which key activities will be affected?
- What resources do these activities depend on?
- What kinds of disruptions will we face if our servers or workstations are damaged?
- What sort of impact will these disruptions have on the business (financial, reputational, etc.)?
- At what point does the impact of the business disruption become unacceptable?
- When should the disrupted activity be recovered?
- In what order should the affected resources/activities be recovered to restore business functions?
3) Create a plan
Now that you have all the relevant information, it’s time to create a response plan. BCPs contain four core phases (initial response, relocation, recovery, restoration) that act as a framework, but as with your risk assessment and BIA, the specifics will vary between incidents.
For example, the relocation phase will follow the same broad outline for any disruption in which the premises are damaged. Equipment will have to be moved. Staff will need to find temporary workstations. You must ensure that the business continues with as little disruption as possible.
However, the practicalities of relocation will differ dramatically between, say, a fire and a burst pipe. A fire is most likely to start in your server room (where there’s a high risk of power surges and overheated electrical equipment), but a suppression system can prevent the fire from spreading, meaning only a small part of your organisation will be affected.
By contrast, a burst pipe will probably occur in kitchens and toilets, which can compromise entire offices. You cannot allow your workers to operate in an office if they don’t have access to a working toilet or if the damage causes a nasty smell. Likewise, any parts of your office affected by water damage to floors or ceilings will need to be evacuated.
Here is a broad range of tasks that you can use in your BCP:
- Determine which systems and locations are affected.
- Determine whether sensitive information has been compromised.
- Evacuate staff from affected areas.
- Remove functional systems from affected areas.
- Find new workstations for affected staff (ask them to work from home, set up temporary desks, etc.).
- Determine whether you can resolve the issue yourself (and if so, how).
- Initiate the recovery process.
- Decide at what point the ‘standing down’ process should begin.
- Test whether the recovery was successful.
Want personalised advice?
The intricacy of business continuity planning means that if you’re looking for specific advice, you need to speak to someone who understands the risks you face.
But that doesn’t mean having to fork out for a consultant. Instead, get in touch with one of our experts. They’ll listen as you explain your situation, provide tailored advice and recommend tools and services that will help.
This blog was updated 15 November 2018.