In recent years the US Small Business Administration has raised alarms about the failure of most small businesses to adequately prepare themselves for potential disasters. Between issues with backups, inadequate cybersecurity training, insurance policy confusion, and a lack of basic disaster planning, it's no wonder the Small Business Administration is concerned. According to research, over half of small businesses are unable to continue operating after a disaster strikes. This is why planning for any and all disaster scenarios is so important. So what is business continuity and how does it factor into your business?

"Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred."

Knowing what disaster scenarios your business faces, and the steps you should be taking to address them, gives you peace of mind that you're doing everything in your power to:

  • Keep employees and critical infrastructure safe
  • Keep data, applications, and proprietary information safe
  • Ensure you're still in business and able to resume operations as soon as possible after a disaster
  • Limit the effects a disaster may have on your customers, employees, and ultimately your bottom line

The terms "disaster recovery" and "business continuity" are used interchangeably when it coms to planning for risk, so is there really a difference between the two? Well, sort of, but it's not a huge difference. Disaster recovery planning is highly focused on one area of the business, the information technology division. Disaster recovery plans are focused on ensuring the security, recoverability, and accessibility of the company's technology and data assets post-disaster, while a business continuity plan looks at the business as a while and details out the processes and procedures for each division. 

Business continuity isn't just for management's peace of mind, it's for your employees and customers too. We all want to work somewhere we feel secure, and that doesn't just mean in our individual positions. A continuity plan indicates to employees that should the business face a disaster, you've made every effort to ensure they still have a role and a place to work. Your continuity plan also helps outline communication procedures in the event of a disaster and on a day-to-day basis, leading to more informed, involved, and happier employees. And when your customers know you're prepared for anything their confidence in your ability to provide them with the product or service they've come to rely on increases. And an increased confidence in your business leads to increased brand perception and a positive reputation with customers, vendors, and prospects. 

If these things aren't enough to convince you of the importance of business continuity planning, you can stop right here, because I don't know what will. But if you're convinced and ready to create a plan for your business...let's go! 

This guide will cover:

What Scenarios Should you be Preparing For?

Before we dive into the process of building the plan it's important to talk about all the possible reasons you need a plan, including some real world examples.

This is by no means an exhaustive list. Given the speed at which cybercriminals are adapting to the ever changing online environment we live in, it's unlikely an exhaustive list is possible. With that said, the following covers the types of threats your business might be facing and what you should be prepared for.

Botnets and Internet of Things Attacks

"Botnets" and "Internet of Things" attacks may sound like terms from a future trends research article, but they are very real and current issues facing businesses. So what are they exactly?

Botnets are a collection of internet-connected devices, which may include PC's, servers, mobile devices, and any other internet of things devices that are infected and controlled by malware. Internet of Things devices are non-standard computing devices that connect wirelessly to a network and have the ability to transmit data. These are devices like smart refrigerators, TVs, thermostats, and even door locks that can be connected, monitored, and controlled over your network and through your smartphone. 

These two terms go hand in hand to form an Internet of Things attack. The term botnet comes from the words robot and network, and refers to large groups of devices, usually assembled for malicious activities. Hackers generally look for vulnerable devices, ones without the latest software updates, or with easily compromised passwords, and infect them with specially crafted malware. Hackers then instruct these botnets to initiate a variety of attacks like spreading malware or taking down websites. Until fairly recently, devices compromised and used as components of botnets were generally Windows computers, but infiltrating smaller IoT devices for that same purpose, is a growing trend. This trend is particularly troubling because these IoT devices are often not very sophisticated in terms of security, and they often do not get updates from their manufacturers as regularly as larger, more complex pieces of hardware do. In short, there are a lot of devices on the market - and more added every day - that haven't been designed with security in mind. And unfortunately for those of us in cybersecurity, more and more of these smart devices are being introduced into offices every day, leaving businesses like yours, vulnerable to attack if not properly secured. 

noun_Globe_2824121
The Dyn Attack 
In October of 2016 a botnet was instructed to send wave after wave of requests to domain name servers owned by Dyn. This attack made it extremely difficult, and for some impossible, to access certain websites. The most concerning part of this attack, and others like it, was that it was carried out using publicly available code running on devices that are increasingly common in our lives. This attack was not the first of its kind and will not be the last.


Outdated Hardware and Software

We know - maybe better than most - that hardware is expensive. So trust us when we say we understand that you don't want to replace a piece of hardware that is working perfectly just because it's "X" years old. That being said, it is necessary. Reports show that 60% of businesses are running unsupported and insecure devices on their networks and 95% of businesses have at least one piece of antiquated and potentially vulnerable hardware running on their network. 

While older devices are less of a risk than those that are completely unsupported, both are concerns to the security and continuity of your business. Both can put businesses at a higher risk of security breaches. Outdated hardware opens your business up to an untold number of security risks, and could be a major source of downtime affecting customers and employees. 

Constantly monitoring for, and applying, updated and patches to both applications and device operating systems is essential to addressing security flaws and vulnerabilities that have the potential to allow cybercriminals in. This is even more important if you're in an industry with certain compliance standards, as not having up-to-date software or operating systems could easily put you out of compliance. Always make sure you're checking for application, software, and operating device updates, and updates to any browsers installed on your device. 

Our advice? If it can be updated, update it!

Reputation Threats

One of the most alarming emerging threats is reputation sabotage. Activists and hackers have begun launching more and more cyber attacks on executives, business owners, and companies as a while in order to tarnish the reputations of those who hold different viewpoints than theirs. These attacks were once limited to the most sensitive industries - such as lumber, fur, chemicals, and those who test drugs or cosmetics on animals - but now, virtually all industries are a target. 

IT departments need to be vigilant in monitoring social networks, blogs, and other user-generated media and be proactive in correcting false information, as well as issuing positive content relative to the person or business under attack. For some, having negative content taken down can prove impossible. 

Threats out of Your Control

It's always important to remember that your business might have to recover from things outside of your control. Attacks on your vendors, customers, business partners, and even the government could have adverse effects on your business. For example state and local governments are just as attractive a target to cyber criminals as small businesses. Government entities maintain a lot of data, access to databases, and control the services needed in the everyday lives of your employees and the day-to-day operations of your business. In terms of data, many local and state governments have records containing the individual social security numbers, driver's license information, health information, tax documents, tax ID numbers, patents, trademarks, copyrights, and much more on your employees, customers, and your business in their database. In addition, government networks are often linked to larger databases and systems like emergency services, election systems, transportation, banking, and utilities like water, electricity, natural gas, and more. With all of this data potentially accessible from one entity it shouldn't come as a shock that cyber criminals would want to find their way into these networks in order to cause problems and seriously impact your business.

noun_Gavel_1512317Licking County Ohio
A recent case of ransomware shut down the Licking County government offices, including the network for the entire police force. Licking County has a population of 166 thousand people, leaving a lot of individual and business data vulnerable and citizens without emergency help. It took days for the county to get everything back up and running.

We could go on and one when it comes to possible risks to your business, but your time is more valuable than that, and we want to make sure you understand how you can protect your business in real time and plan for the future with your proactive continuity plan.

Download Small Business Continuity Guide

Improving Security and Minimizing Downtime

As you build your business continuity plan you're going to discover ways in which you can improve your day-to-day security and reduce your overall risk of downtime. In no way should you disregard your continuity plan once you've discovered these things, but they are an integral part to ensuring the future of your business and productivity of your employees, and should be addressed.

Pick Your Vendors Wisely

Before signing a contract with a new vendor, like an internet or phone service provider, check their contracts for any service level agreements. Your network and business may be tightly integrated or dependent on a vendor, meaning downtime for your systems you don't control can negatively impact your business. This is particularly the case for those businesses with clients who absolutely cannot experience a service disruption or who have promised an uptime percentage in contracts. You need to have a plan for how your business will handle these things both internally and with your vendor. It's important to have the answers to the following in your continuity plan:

  • Do you have a dedicated representative you can call to alert of any downtime situation, whether it's coming from your systems or theirs?
  • Do they provide services that may be useful during your disaster recovery process?
  • How do they handle their disaster scenarios or downtime?
  • Do they have plans to minimize the risk to you in the event of a disaster?

Just as your customers feel reassured by your continuity plan, you should feel reassured by those of your vendors.

Backups are not Optional

In this day and age, backing up your data isn't an option, it's a requirement. Every day your data is at risk. Whether that risk be from hardware failure, human error, theft, cyber attacks, or natural disaster, there are a lot of ways your data could be lost or stolen. This sounds scary, and it can be...that is why we discuss the importance of safe and routine backups so often, because there are things you can do to mitigate this threat. Regular backups and constant monitoring are vital when you have a wealth of data to protect. Should your company be hit with a ransomware attack, fall victim to some other type of attack, or endure a natural disaster, having consistent and reliable backups can be the difference between losing two hours of data and losing two weeks of data. One will be an inconvenience, but the other can cause massive downtime, lost revenue, unhappy customers and potentially damage your reputation. 

noun_Server_1871650Gitlab.com Failure
Recently we were reminded of the importance of having an effective backup process after Gitlab.com suffered a major data loss. A directory containing around 300GB of critical production data was almost completely deleted through human error, and while there were five different methods in place that were supposed to be backup up and replicating the data, non of them were working effectively. 
That's a failure on an epic scale.

An important part of your backup process that many forget is that you need to test your backups. If you're not testing to ensure that you can quickly and fully recover the data, you'll never know if your backups are actually performing like you need them to, or if they aren't working at all until it's too late. Find a backup solution that works for your business. Whether that solution is a colocated server, cloud storage, or an on-premises server (although we do recommend at least one copy of your data be backed up off-site or in the cloud), or some other variation of backup storage, and stick with it! Regular backups, constant monitoring, and regular testing are the first key to mitigating disaster and downtime risks. 

Knowing your data is backed up and secure takes one thing off your mind during the recovery process, since you can be assured it will be there once you've gotten everything back online. 

Find the Right Solutions for You

IT is not a "set it and forget it" business function, nor is it possible to pick one solution and assume it will work for every business. It's important to customize your IT solutions to your business. A few examples include your server design, whether you should colocate, and how to configure your network. Each of these solutions should fit your needs and play into your business continuity plan. For example:

  • Colocation helps ensure that all your critical infrastructure and data is secure and available in the event that something happens to your office, regardless of the specifics of the disaster scenario. These dedicated facilities can give you peace of mind that your business and data are always secure and you can continue working even if something unexpected happens. 
  • In-house vs. Cloud file-server. There are obviously pros and cons to each type of server and ultimately comes down to what is best for your business. In the tech world we probably hear "move it to the cloud" about a hundred times a day. While the cloud is a great thing, it's not always right for everyone. Whatever you ultimately decide about how to store your data, you will need to take it into account when developing your business continuity plan.
  • For most businesses, network segmentation is nothing new, but depending on the size of your organization and the data you're working to keep secure, the way your particular network is segmented might look a little different. Segmentation gives you increased control, performance, and security capabilities. This is all why figuring out just the right configuration for your business is necessary. 

These are just a few examples of the discussions you need to have and solutions you need to decide on. It's important to talk through them, and any others you may think of that are unique to your business or industry, and make sure they are part of your continuity plan. 

Take Every Security Precaution Possible

In the past few years the rapid growth in cyber crime has fueled a dramatic increase in research and spending on ever more sophisticated security technologies. Even users who have never known a life without technology are struggling with how to deal with the dangers right behind their screen. A lot of times this is referred to as next-gen security, an all encompassing category of security systems and programs that go beyond simple perimeter security and antivirus software to solutions that consider the network, user devices, and behavioral patterns much more comprehensively to detect and prevent evolving threats. These precautions include things like:

  • Patch management. This is an area of systems management that involves acquiring, testing and installing multiple patches to an administered computer system. In other words, a simple fix for a problem, bug or vulnerability discovered in a piece of software. 
  • Vulnerability management. A security practice designed specifically to proactively mitigate the exploitation of IT vulnerabilities. These vulnerabilities are weaknesses in IT systems that can be exploited to cause harm or steal information. 
  • Device Encryption. Ensuring your data is secure by storing data in the device's memory as an indecipherable string of 1s and 0s. This prevents others from reading the data off the device without also having your password, fingerprint or another secondary form of identification. 
  • Mobile Device Management that allows you to:
    •  Verify that employees are updating their devices
    • Give employees secure access to data while they are away from the office
    • Give the company the ability to wipe the device of all company information should the device be lost or stolen
    • Ensure that these devices are encrypted and that employees are using passwords that comply with company security policies
  • Advanced endpoint systems that monitor the individual device behavior and make sure that any intrusions or network exploits don't even come close to touching your device. 
  • Intrusion Detection Systems (IDS) that continuously monitor the flow of data across your network - and in particular your connection to the outside world - to identify any malicious, unauthorized, or odd behavior. 
  • Intrusion Prevention Systems that can take legitimate action to protect the network. Whereas an IDS is a detection system, an IPS responds dynamically to shut down network-based security threats in real time, sometimes without any human intervention at all. 

All of these steps to improve security and minimize downtime on a day-to-day basis are key components of any continuity plan whose implementation simultaneously decreases the likelihood you'll need to call upon that plan.

What are you Trying to Avoid?

Downtime.

Lost Revenue.

Lost Productivity.

Compliance Issues.

By taking precautionary steps to avoid downtime and security risks you're helping to decrease the odds of those things happening while ensuring the impact of those risks are minimized and your business can resume full function as soon as possible. 

So what are the monetary and non-monetary implications of those risks for your business?

Downtime

In 2014 Gartner reported that downtime could cost your business $5,600 per minute, with a low end average of $140,000 per hour and a high end average of $540,000 per hour. Downtime isn't just server failures and internet outages, there are a lot of possible causes of downtime that you need to be prepared for. Downtime also leads to two of the major outcomes businesses want to avoid: loss of revenue, and loss of productivity. In your business continuity plan it's important to know the true costs of these to your business. Thankfully we have two equations that can help us accurately determine the lost revenue and productivity costs.

Lost Revenue = (revenue earned/hour) x (hours of downtime) x (uptime %)

Lost revenue is dependent on revenue earned when everything is functioning as it should - aka uptime. Depending on your industry and business your uptime percentage for the week will look different than others. For example, if you're a brick and mortar store only open 40 hours per week, your uptime percentage will be about 24%. However, if you're an online business with the potential to make a sale 24/7 your uptime would theoretically be 100%.

So say you're a business that earns $10,000 in revenue per hour and you experience 8 hours of downtime with an uptime percentage of 24%. Your lost revenue equation would look like this: 

LR = (10000) x (0.24)

LR = $19,200 per hour

Lost Productivity = (salary/hour) x (utilization %) x (number of employees) 

This equation calls for you to calculate the utilization rate of your employees during uptime. In other words, what percent of the work hours are your employees actually productive? If your employees are productive for 45 minutes out of the 60 in an hour, you have a 75% utilization rate.

For example, if you have 20 employees who, for the sake of simplicity, all make $35 per hour, and are productive 75% of time time, your equation will look like this:

LP = (35) x (0.75) x (20)

LP = $525 per hour

Knowing these costs can help you make an informed decision on what precautionary measures you need to budget for to save you money in the long run. Being proactive will always be more affordable than being forced to be reactive. 

Intangible Costs

In addition to the costs that can be specifically calculated it's important to remember the non-monetary costs a disaster scenario can bring upon your business. The biggest of these is often the effect on your brand and reputation. Now, while this may seem a smidge dramatic, any damage to your brand or reputation can cause irreversible damage. These are what we call intangible costs and they can be hard to put a definitive number on, so it's really up to each individual business to determine the cost to your brand, your reputation, and your potential repeat sales from current customers. 

noun_Airplane_1739852Southwest Outage
In 2016 a computer system outage caused Southwest to cancel or delay thousands of flights, costing the airline between $54-82 million. While they were able to resolve the issue and were back up and running in about a day, they still had to deal with the consequences. Consequences that included angry customers, lost sales, potential repeat sales, and various other recovery costs. 

Since most of us aren't operating with the same resources as large companies, like Southwest Airlines, it's important to realize that these intangible costs can add up pretty quickly for small businesses. As an example, Kaspersky reports that brand damage can result in costs upwards of $200,000.

Recovery Costs

This is the last piece of the equation, and another number that will vary depending on what it took to fix the root cause of the downtime. Here are some things to think about when calculating your total recovery costs:

  • Did you have to replace hardware?
  • Did your internal staff have to work overtime?
  • Did you have to contract with an outside firm to help with recovery efforts?
  • Did you have to pay a ransom to get any files back?
  • What was the value of any permanently lost data?

The answers to the above questions, and any other miscellaneous recovery costs specific to your business, all go into this section of the downtime equation.

Hopefully detailing all of these costs and demonstrating what we are trying to help you avoid was the final step in convincing you that a business continuity plan is necessary, because not it's time to write and finalize your plan. 

Building your Business Continuity Plan

The business continuity planning process takes time, but we are here with all the steps you need to take to ensure you have all the right information. 

Step One: Risk Assessment

A risk assessment is the process of identifying all possible hazards that could affect your business' ability to function at full capacity. The goals of this assessment tend to be fairly straightforward, but can vary based on your industry, business size, and any compliance or regulatory standards you must meet. Possible goals or outcomes for your risk assessment could be to:

  • Create a full inventory of all technical and non-technical assets, including data
  • Develop a total understanding and justification of all costs associated with proactive security measures vs. reactive measures
  • Obtain a complete knowledge of all foreseeable threats facing your business
  • Compile data to aid in the budgeting process for current and future security measures to mitigate any risks highlighted in the assessment
  • Calculate the ROI for any software or infrastructure investments made based on the assessment results

These goals will vary depending on the type of risk assessment you chose, either quantitative or qualitative, and based on your unique business or industry needs. 

A quantitative assessment is used when you want the ability to assign numerical values to each risk to ultimately determine the monetary cost of each. In a quantitative assessment each risk type will be assigned two numerical values, one for the overall likelihood and one for the potential impact on the business. These two numbers are multiplied together to give you a risk factor which can then be used to determine the total financial impact of each risk. A qualitative assessment is used to rank the potential risks in order of most to least impactful on business operations. These types of assessments don't include any numerical assignments or monetary loss predictions.

3 Categories of Business Disasters
Natural Disasters Technological Disasters Human Disaster

Flooding

Severe Thunderstorms

Tornados

Hurricane/Tropical Storms

Winter Storms

Earthquake

Tsunami

Landslide

Volcano

Hardware Failure

Application Failure

Lost Data

Utility Outage

Fire/Explosion 

Hazardous Material Disaster

Supply Chain Interruption

 

Workplace Accident

Structural Failure

Human Error

Vengeful Ex-Employees 

Employee Absenteeism

This is a pretty basic list, and may not encompass all the risks your business faces, but it's a good starting point. After you've determined all the risks you need to list all the assets at risk. For example:

  • Physical assets
  • Human assets
  • Technology/cloud-based assets
  • Reputation
  • Contracts
  • Environmental assets
  • Monetary assets

For each risk it's important to understand:

  • What are all the consequences?
  • How bad could these consequences get?
  • How likely is this risk to occur?

Knowing all of this can show you the impact of each risk and allow you to start to formulate how to prioritize the recovery efforts. Many companies will also create a risk matrix, like the example below, to help them prioritize and visualize the impact of each risk. 

 

Highly Likely  Likely Unlikely Highly Unlikely
Fatal High High High Medium
Major High High Medium Medium
Minor High Medium Medium  Low
Negligible  Medium Medium Low  Low

Understanding risk is one of the most important parts of running a business. You can't plan for the future if you don't know what you're planning for.

Step Two: Business Impact Analysis

A business impact analysis allows you to take all the risks you've identified and determine the potential effects that disruptions, accidents, or emergencies can have on both the critical and non-critical functions of your business. 
These effects include:

  • Lost or delayed sales or income
  • Increased or unexpected expenses
  • Regulatory fines
  • Contract failures or penalties 
  • Dissatisfied or lost customers

The benefits of a business impact analysis are that this analysis: 

  • Provides management with all the necessary information to make quick and informed decisions in times of crisis
  • Provides insight into the most vital company functions and how to allocate resources and prioritize in the event of a disruption
  • Instructs employees on their role in the recovery efforts until the company is fully operational 
  • Identifies all non-operational impacts to the company that will need to be addressed as soon as a certain level of operational functionality is restored

A business impact analysis is predicated on two assumptions:

  1. That each part of the business depends on the continued operations of all the other parts of the business
  2. That some functions of the business are more important than others, will need more resources, and will need to be addressed faster than other functions in a disruption scenario

The complete business impact analysis process looks something like this:

Collect all Information

For each business department or critical business function you need:

  • The functional parent of the process
  • The process name and a detailed description
  • List of all inputs and outputs from the process
  • Maximum allowable disruption time before impact occurs
  • Descriptions and calculations of the financial and operational impact from a disruption
  • Human and technology resources needed to support recovery processes - including computers, networks, offices, people, etc. 
  • A description of the customer impact of external or internal processes, and a list of departments that depend on the process outputs 
  • Explanation of any legal or regulatory impacts that may result from a disruption
  • Description of past disruptions and the impact of each
  • Description of work-around procedures or work shifting options to other departments or remote workers

Review and Synthesize Data

Now it's time to analyze that data and put it into an easy to read format. The information you've collected should give you the insight needed to:

  • Prioritize the most important business functions
  • Identify all necessary resources for each function and department for each individual risk scenario 
  • Determine recovery processes and time frames for all functions and risks

Build Your Report

Once you have all the information collected and analyzed it's time to organize it into a formal report for management, employees, and future planning. 

Here is an example of a general BIA report outline:

Objective and Scope
Methodologies for Information Gathering
Analysis and Summary of Results
Individual Department Sections
Department Specific Processes
Disruption Impact
Disruption Duration Timelines
Tolerable Loss Levels
Options and Costs for Various Recovery Strategies
Relevant Supporting Documents from the Review Stage
Overall Recovery Recommendations
This should include the prioritization of functions and processes to get the business back to full functionality

And with that your business impact analysis is done and it's time to finish the process by finalizing your complete Business Continuity Plan.

Step Three: Finalizing your Plan

At this point the majority of the work is done. Now it's time to analyze all the information one more time and make sure you have everything you need to detail:

  • All department functions and responsibilities  
  • All foreseeable risks to each department as well as to the business as a whole
  • All essential systems and processes that must be kept running
  • How to keep those essential systems and processes running in various disaster scenarios

The biggest question you need to answer in this whole process is: What is essential?

This applies to services and functions as well as staff. 

Essential Services and Functions

These are the services and functions that when not delivered or performed:

  • Create an impact on the individual health and safety of employees or customers
  • Could lead to the failure of the business if not performed in a certain period of time 
  • Create either an immediate or long term business impact
  • Cause the business to no longer be compliant with mandatory regulations 

Essential Staff Requirements

Part of the business continuity planning process is determining which staff members are vital to keeping the business operational and maintaining the essential services and functions defined above. You need to understand and list out what each staff member needs to perform their specific job. Those needs might be certain equipment or technology, skills, or access to the rest of their team. You need to make sure your business continuity plan includes all of this.

Both the essential services/functions and staff requirements form the first part of your plan. For each of these essentials you need sections of the plan that provide:

  • A description of the services or functions
  • A list of who is responsible for the implementation and communication of both the plan and the overall strategy when the business is running at full capacity
    • Primary and secondary contacts and all their information
  • Potential risks to the business as a whole, the unique risks for each division, and the impact each has on the business as a whole
  • Plans for communication, staff relocation, how to contact suppliers, and how to access required resources and various needs

Once all of this is completed, it's time to make some lists.

Key Internal Contacts 

Now that you have detailed plans for the essential functions, services, and staff it's important to put together a comprehensive list of anyone within the organization would would need to be alerted should a disaster occur. 

As yourself:

  • Who needs to be informed?
  • How do I contact them if I can't use their company provided email/phone number? 
  • What role does this individual play in the recovery efforts?
  • What information do they need to perform that role?

Keep in mind you may also want to give some thought to the order in which you'll contact these individuals. If there are employees or individuals who are essential to the recovery, you will obviously want to contact them first to get them to work, while with others it may be okay to contact them once the initial shock has been dealt with and recovery efforts are underway. This is something you will want to indicate on the contact list. 

Customer List

Once your employees have been informed, it's time to inform your customers. Just as with your internal staff you will need to have a list of customers that need to be informed of disasters or disruptions to your services or products. This list should include:

  • Their name and contact information
  • What products or services they utilize
  • Any recovery estimates or information you have that will settle their fears about your business and their ability to work with you in the future
  • Any other information they may find necessary or helpful

This section of your business continuity plan should also include information for the employees tasked with contacting your customers detailing what to say, what not to say, and the established procedures on how to get in contact with your company during the recovery period.

Vendors and Outside Business Partners

This final list is similar to the the two above, but includes everyone else related to your business who isn't in those other lists. These individuals may include:

  • Those who rely on your business for information
  • Those who provide your business with a service or product (insurance, security, facilities, legal, outsourced departments, etc.)
  • Anyone with a financial interest in your company

Keep in mind that, should the disaster be a data breach or something similar, this list must also include various government entities that need to be informed. These entities may or may not have a direct involvement in the short term recovery efforts but will need to be kept up to speed on the recovery efforts and may have a part to play in the long term success of the organization after a breach. 

Step Four: Review, Test, and Update

Once you've completed the plan it's important to come together with the entire team to review it. In this phase of planning you need to ensure all sections of the plan are detailed, that all reasonably foreseeable risk scenarios have been discussed and that all the procedures are clear and consistent, ensuring everyone's ability to understand and follow procedures in a uniform fashion. A thorough review should give the team any initial indicators to anything missing, allowing you to make changes and give the entire team a chance to discuss the implementation process. 

Test the Plan

 Testing is extremely important. If you don't test the policies and procedures, you can't be 100% confident in your plan, and if you're not 100% confident, what was the point in creating the plan at all? Your tests should be based around realistic and challenging risk scenarios that you discovered in your business impact analysis. If you're prepared for the worst, smaller scenarios will be handled just as thoroughly. 

There are three different ways to test your business continuity plan. 

Table Top Testing

This test is similar to an all team review, in which everyone pours over the plan in regards to various risk scenarios and provides their input on any possible issues or necessary changes. This is usually done in a large group setting with all important team members involved and at least one person from each major department present.

Structured Walk Through

In a structured walk through each team member walks through their section of the plan in front of the whole team with a specific disaster on the table to identify and correct weaknesses. This may include disaster drills or role-plays to ensure every detail has been addressed. 

Disaster Simulation

A disaster simulation requires not just the business continuity planning team but every employee, vendor, and all essential outside personnel to simulate recovery efforts in the event of a disaster. Disaster simulations not only test the plan itself, but also your employee's ability to execute the plan, while bringing in fresh eyes and perspectives that may detect unseen issues or gaps. 

After all of these tests it's important to regroup, combine notes, and make any necessary changes. 

Update the Plan

Now that all the work is done and your plan is ready to be put to use in the event of a disaster, don't forget about it! Though the majority of the work is done, it's important to remember that this is a living document and should be reviewed annually or whenever any major organizational changes occur.
As your business changes, your plan will need to change too. You don't want to find yourself in the middle of a disaster five years down the road, realizing that your entire plan is obsolete and no one knows what they need to be doing. 

Business continuity has also been called operational resiliency. While building a plan may seem like a lot of work and you may feel that you have more important things to do, the benefit of having that plan and knowing that your business will be resilient in the face of disaster is worth the time spent creating it. We've had occasion to work with businesses experiencing disasters; the proactive and prepared companies always fare far better than those who attempt to save their business in a purely reactionary way.

Being proactive is always better than being reactive.

Download Small Business Continuity Guide

Back to the Top