After the dust is settled and the disaster has passed, what do you see when you look back? How (and how fast) did your company get back to business? Did systems and processes halt altogether, or were you prepared with back-up options to keep them going?
No doubt, going dark for even a day can have its consequences; and in an age when everyone is looking for assurances, having a combination of an Emergency Management Plan (EMP), a Disaster Recovery (DR) Plan, and – importantly – a Business Continuity Plan (BCP) will bring your clients and employees peace of mind while ensuring your team has the resources and know-how to continue to operate through an emergency and bounce back afterward.
“[Business Continuity Plans] are almost becoming mandatory now,” says John Stephenson, a senior vice president with FirstOnSite Restoration. “Clients want companies to demonstrate that they have those plans in place and that they’re being updated and tested regularly. After all, if their service providers are at risk of failing, so are they.”
That said, there can be some confusion within many organizations. They may not know which plans they have in place or how to maintain them. Having a DR Plan means having a clear strategy for restoring operations after an emergency event, while having an EMP means you have a “guidebook” ready to deal with an event itself. It outlines your plans to manage that actual emergency (for example, your respond to a flood).
A BCP, however, is an internal document that addresses your overarching company-wide ability to operate your business as a whole while the disaster is taking place and through your recovery. The BCP addresses how to continue providing service to your clients, keep production running, keep servers functioning, and ensure employees are receiving their pay. It speaks to your ability to continue operations throughout the entirety of an event. For such a plan to be effective, it must include strategies to protect, restore, and back up everything from a company’s critical infrastructure and data to its ability to pay staff and keep funds and supply chains flowing.
If any of these key process areas fail, and you are unable to provide your key services as a result, the business risk is simple and severe. For example, at a branch-based company like FirstOnSite, the Business Continuity Plan speaks from a head office point of view; if any of these critical systems were to fail at a head office level, it could affect the business as a whole across all three dozen of their branches. Alternatively, if there is a disaster at a single branch, operations at that branch may be affected but that won’t affect the entire company service.
“If any of those elements falls apart, it doesn’t matter what we’re doing for our clients, we’re finished as far as operation goes,” notes Stephenson. “That’s why it’s so important to have that plan ready to go so you can show your stakeholders that you have everything covered.”
BCPs also identify staff roles following a disaster. That includes senior executives who will become incident managers, IT leaders who will bring the company back online, and HR professionals who will be responsible for ensuring payroll, accounts receivable, and cash functions are in operation.
For example, Stephenson adds, “Our own plan includes our vice president of communications because if the media finds out that something has gone wrong in our company, we need to get on top of that message. Along the same line, our plan includes communication templates that allow our VP to quickly get our messages out instead of scrambling to create one from scratch during an actual emergency.”
Drafting a BCP, however, is just the beginning. Whether it is created internally or with outside consultation, it must have a buy-in from the C-suite level and input from all departments to ensure all business functions are being considered and that it is being taken seriously throughout the organization.
Moreover, says Stephenson, “The problem we often see is that companies are putting a lot of effort into creating these plans only to put them on a shelf and forget about them for years. You really need to treat these plans as live documents. You need to recognize that business change and people come and go, so all those details – employees, positions, and contact information – are going to change. That’s why we always recommend that companies take one day out of the year to do a full review of the plan, and then run a tabletop exercise once every two years to make sure it’s still relevant in a live scenario.”
That exercise might entail taking the company’s IT service offline, cutting power, or disconnecting critical infrastructure to see how well the Business Continuity Plan performs under pressure. Only then, says Stephenson, can companies see firsthand where their plans hold up and where they fall short.
“Servers can go down, systems can fail, and critical pieces of equipment can be rendered useless. All those things can come into play during a live exercise, so learning that before an actual event takes place will help you create a more realistic strategy,” says Stephenson.
With final advice for post-disaster planning, he adds, “You need to start your plans off right, make them a priority, and get a buy-in from everyone. That not only makes it easier for us to help you recover from a disaster, it also makes sure your clients aren’t at risk when something goes wrong.”
John Stephenson is a senior vice president with FirstOnSite Restoration, a leading Canadian disaster restoration company, providing remediation, restoration, and reconstruction services nationwide, as well as for the US large loss and commercial market. For more information, visit www.firstonsite.ca.