All organizations must prepare for uncertain times. Business continuity is the advance planning, preparation, and operations undertaken to ensure that an organization will have the capability to operate its critical business functions during emergency events. Events can include natural disasters, a business crisis, pandemic, workplace violence, or any event that results in a disruption of the business operation. Plans should account not only for events that will stop functions completely but for those that also have the potential to adversely impact services or functions.
Risk The first step to a successful planning process is to make sure there is a thorough understanding of what is, and is not, critical to your organization. A Business Impact Analysis (BIA) and a Threat & Risk Assessment identify vulnerabilities and key activities of an organization and help focus planning. Through Business Impact Analysis should also examine process dependencies (what, or who does each business process rely upon in order to do their work) should be identified and accounted for.
Planning After developing an understanding an organization’s processes, how critical those processes are, and the threats and risks inherent in key operations, appropriate plans and strategies should be developed.
Business Recovery The purpose of business recovery planning is to ensure that critical business processes can be recovered in the event of an emergency. A business recovery plan will document the actions, including temporary workarounds, that will be necessary to keep critical functions operational until IT applications, systems, facilities, or personnel are again available. This may include where and how to relocate people and processes in the event business locations are impacted or not available.
IT Recovery Refers to the development of plans and strategies for the recovery of the organization’s technology, including actions that will be necessary to restore critical IT applications and systems. The required technology to support recovery of business functions should be identified and implemented.
Management Prior to a crisis event, the organization’s management team should ensure that documentation of the steps and actions to take during an event is completed. Regular exercises should be completed to validate that plans and actions meet requirements and will be functional in an actual event.
Effective Crisis Management relies on a specific plan that details how the organization will manage a crisis event. A crisis management plan also should define the members of the Crisis Management Team that will manage that event. The responsibility of the Crisis Management Team is to lead the organization through the emergency events, and make adjustments to maintain safe operations and safety of its employees. Crisis management activities include ensuring staffing levels will be adequate during an event for both external and internal needs. Documentation of the steps and actions to take during an event to accomplish the items above. Regular exercises to validate that plans and actions meet requirements and will be functional in an actual event.
Ongoing Operations During a crisis, the organization will still need to prioritize safely returning the operation of its core business functions. Planning should address concerns of how to ensure services or products can still be provided to customers, as well as the order and timing required to restore business processes.
Procedures How to communicate with customers, vendors and other third parties to ensure you are providing good information and support.
Resilience Planning and operations should identify how to support employees during an emergency event, as well as workaround processes to use when technology is not available.