Many startups believe that Business Continuity Planning (BCP) is complex, time consuming, and requires too many resources. Given the volatile nature of business startups, this is understandable. However, BCP doesn’t need to be complex nor time consuming if approached using a simple method.
Basically, BCP is about identifying your critical products and services and determining the impact of a prolonged disruption to those products and services.
The first step is to conduct a Business Impact Analysis (BIA) – don’t let this name or acronym put you off: it’s quite simple. Make a list of all your products and services, regardless of whether you think they are critical or not. For each product or service, note down the maximum period (in hours, days, weeks, etc.) that your business can survive without the ability to produce and deliver your products and services. This is referred to as the Maximum Tolerable Period of Disruption (MTPD).
Alongside it, note down the total financial loss to your business if the period of disruption goes beyond the MTPD. Repeat this process for each product and service. Based on the MTPDs and the losses you can determine which ones are the most critical. The lower the MTPD and the higher the loss, the more critical they are.
Next, conduct a Risk Assessment. Make a list of all the threats that could disrupt your operations, especially the most critical processes. Commonly, threats are grouped into Natural (like earthquakes, storms, etc), Building (like fires, flooding, air-conditioning failure, power failure, etc), Technology (like Data Centre failures, network and communication failures, Internet failures, Cyber-attacks, etc), Civil Disturbances (like riots, protests, vandalism, etc) and Pandemic (such as SARS and currently, COVID-19). Make a list of all the threats that you believe could negatively impact your business. For each threat, identify the risk of disruption to your critical products and services. To determine the risk, identify the vulnerability and the impact.
Vulnerability means how likely it is for a threat to disrupt your processes. Impact means how badly the threat can impact the processes should those threats occur. The higher the vulnerability and the impact, the higher the risk. Then for each risk, make a list of all the measures you need to put in place and the actions you need to take now to prevent or reduce the likelihood of any disruptions.
Once you have a clear understanding of your critical products and services, and have determined the threats and risks, you are ready to develop your Business Continuity Strategy. This can simply be a list of objectives stating clearly what you want to achieve and then making a list of all the actions you’ll need to take on a regular and ongoing basis. The actions will need to be in two parts. The first part will be a regular and ongoing schedule of the actions to reduce the likelihood of any disruptions and second is a list of all the plans you’ll need in order to recover your products and services should a disruption occur, and a schedule to regularly test those plans.
Plans are documents that list the steps you’ll need to take during a major disruption. A Crisis Management Plan details the steps to take to determine the level and seriousness of the disruption. It should include all staff safety matters including an evacuation procedure when required. A Communication Plan will detail the steps to effectively communicate with your staff, your customers, your partners, etc., during a disruption. A Disaster Recovery Plan will detail all the steps required to recover your IT systems and all your data.
Finally, you’ll require, for each department or function, a Functional Recovery Plan (FRP). An FRP details the location, if necessary, to operate from during a disruption, the minimum number of staff members you’ll need, the systems you’ll require to operate and all the contact details of staff and partners/suppliers. It should also include a step-by-step procedure to produce/deliver the critical products and services. It’s best for the procedures to be minimised, and bureaucracies reduced as the alternative location and the reduced staff count may not be able to perform the processes as are done in normal situations.
All in all, these plans must regularly be tested to ensure that any discrepancies are identified and fixed, so that during an actual disruption the plans are as effective as necessary. This whole exercise – the Business Impact Analysis, Risk Assessment and Business Continuity Strategy – need to be regularly reviewed at least once a year and adjusted based on any changes to your operations, or your products and services.
BCP is imperative to the continuity of your business, so make it a business culture and stay safe.