Properly applied, a business continuity plan does more than keep the firm running in the event of a crisis. Business continuity planning is actually a proactive business process that helps an organisation identify its challenges, weaknesses and threats leading to operational disruptions. Mitigative measures can then be worked out and set in place. Most organisations have a disaster recovery plan in place, in case of an untoward incident, that will allow the business to carry on functioning and servicing its customers. A business continuity plan, however, is more extensive than a disaster recovery plan, as it must consider every aspect of the business that may suffer operational disruption.
These aspects include – but may not be limited to – the firm’s business processes, its assets, human resources, and stakeholders. Disaster recovery and business continuity planning are often linked but they are different. Disaster recovery tends to be reactive as it focuses on what the firm needs to do, to recover after an incident which disrupts regular operations. A business continuity plan, on the other hand, is proactive and takes a more “macro” approach. Disaster recovery planning is a key component of business continuity planning, and should contain the ‘how-to’ strategies, such as how business operations may be maintained, how to handle IT disruptions that affect service delivery, how to manage back-up systems and teams to maintain productivity, and keep the disruption from affecting the company’s bottom line.
Business continuity planning covers all phases of recovery; it has a wider scope and goes beyond just disaster recovery planning (DRP). A disaster is an event or a series of events that interferes with the firm’s ability to operate as usual and deliver its products and services to its customers regularly and consistently. DRP usually focuses on the recovery of technology facilities and platforms, networks, systems, servers, critical applications and databases which make up the firm’s technological infrastructure. Disasters may be natural or man-made, and include fire, flood, landslides, earthquakes, strikes, extended disruptions of utilities, war and acts of terrorism among others.
Planning for eventualities such as these involves knowing what to do in the event of an incident, step-by-step emergency response and management, guidelines to follow, checklists and supporting data, as well as reviewing, testing and updating the plan. There will probably be guidelines on ensuring the safety of employees, and how to limit damage from the disaster, as well as what measures must be implemented beforehand to ensure that the firm keeps operating. Everything that needs to be done will probably be documented and made accessible to designated staff who will be trained in what to do when a disaster hits. Business continuity planning, on the other hand, is more extensive than this.
It would probably start with identifying business continuity management goals, and possible existing points of failure. There will need to be a lot of information gathering or due diligence done, as well as business impact and risk assessments. The data gathered through these processes will define the critical functions that must be maintained, internal and external risks, the possibility of these happening, and the extent of their damage. Emerging technologies and the threats stemming from these, such as system hacking, cyberattacks, ransomware and malware, should also be taken into account during the business continuity planning process.
Business continuity planning will also take into account the current risks and what mitigative measures are in place to manage them, together with the resources required to support the organisation through the process. Because response time is critical in today’s business environment, the firm’s business continuity plan that incorporates disaster recovery planning needs to ensure that the board and senior management can respond speedily to disruptions. A business continuity plan is not a one-off document to be applied in the event of an untoward incident; it is an ongoing plan with processes that require understanding across the organisation.
Staff should therefore be aware of what to do not just in an emergency, but what to expect post-event, as in most cases, the disruption brings with it a certain amount of change in the way things need to be done. This change has to be managed for it to be effective, and for this, staff education, training and awareness will need to be at the appropriate levels. The plan itself needs continual improvement as it should reflect the environment in which it will be implemented; these environments are inevitably dynamic. For example, a “normal” business continuity incident response plan will vary quite extensively from a business continuity pandemic response plan.
The plan also needs to be regularly tested, reviewed, updated and audited. Feedback should be encouraged so that weak areas may be improved. Ideally, the plan should be simple and flexible because it will inevitably have to be applied at a time of crisis, when managing the situation may be more complex than usual, due to uncertainty or instability of the environment. Regardless of the capability of the board and management when faced with crisis and disruption, the business continuity plan will function as intended only if everyone is conscious of their roles and responsibilities, and can function as a team.