Creating A Business Continuity Plan in 5 Steps
By Bob Brody and Marc Schmittlein
44% of small businesses are operating without any type of business continuity plan, and 56% of business owners reported spending less than 10% of their time identifying and preventing operational risks. Quoted from Risk Management Magazine, January/February 2012 Issue, page 14
“An insurance review
should be a key part of
any mitigation strategy”
1. Conduct a Threat Assessment. It is impossible to guard against risks that have yet to be identified. With a threat assessment, businesses can evaluate the probability and potential impact from natural disasters and man-made incidents that could affect their facility at a local, regional, national or global level. This is a good opportunity to fully understand and track how the business’ supply chain operates, how products or services reach customers, and here customers are located.
2. Identify and Review Functions. Every company has responsibilities that are critical to its core business. Once those functions are identified, some owners find it helpful to assign a priority to each of the time-critical activities. They can rate each activity from 1 to 5 to show the length of time it can remain disrupted. For example, one day or less is a priority 1, two-to-four days a priority 2, three-to-five days a priority 3, and so on. The next step is to develop a planning objective for each activity. A planning objective states the organization’s goal for resuming each activity within a specific time frame (e.g., restore data center operation in four hours).
3. Perform a Business Impact Analysis. To be successful, businesses have to identify how various threats will Impact their essential business functions. For example, if online sales are a core function, then a disruption in electricity or a damaged or sabotaged computer system can be a business-killer.
4. Develop a Prevention and Mitigation Strategy. Many actions, from the simple to the complex, can help control damage if a disaster occurs. If servers or other computer equipment are stored in a basement that is vulnerable to flooding, simply relocating that equipment to a higher floor can significantly reduce the risk. As mentioned, an insurance review should be a key part of any mitigation strategy. Also, be sure to plan and communicate across the organization. Assemble individual department or branch plans into the overall company plan, train key employees in their response to plan activation and be sure the plan is communicated to every employee.
5. Implement and Maintain the Plan. Developing a plan and committing it to paper is just part of the job. Testing is crucial to determining whether the plan will hold up under disaster conditions. Walk employees through different scenarios that can significantly impact a business and explain how to manage the circumstances. The plan can include everything from important phone numbers of management personnel and service providers to locations of back-up data. This is also a good time to build in redundancies, such as alternative suppliers or shippers or employees who can fill in to execute a part of a plan if the first-line employee is unavailable. In addition, the plan should be updated and reviewed regularly and reflect significant changes, like new employees, locations, suppliers or systems.
Bob Brody is senior vice president of global operations claim and risk control for Travelers. Marc Schmittlein is president of Travelers Small Commercial.