Steps for Building a Business Continuity Plan

Steps for Building a Business Continuity Plan

Nowadays, just about every business department, from procurement to office maintenance, all of us rely on technology, one way or another. Almost nothing gets done anywhere without technology, not for a day or even a minute.

However, as Covid-19 proved, we all need to plan for the unexpected. It’s not enough to consider disaster recovery applications, but also how we should enable our people to work effectively remotely, and how we need to adjust cybersecurity policies accordingly, and more.

That’s what we intend to help you plan for, so below are the steps we follow with our clients in the greater New York City area to set up their comprehensive business continuity plans:

1. Identify critical areas/functions of your business
2. How does technology align to those critical functions?
3. Evaluate risk of disruption and determine areas of investment
4. Deploy, communicate, and train end-users for different scenarios

Identify critical areas/functions of your business

The goal is to identify the applications and functions that are critical to operations and what impact in short and medium terms can we expect if these applications are interrupted. For instance, losing a payroll application would impact the ability to pay employees, and so our first step is to identify areas like these.

Here you need to consider every department or operational area, even those that don’t seem critical. This could change depending on the duration and type of emergency.

Once those areas are identified, then answer these questions:

  • Identify the position(s) and employee(s) responsible for each function, and gather their contact information.
  • List the resources, technology or otherwise, needed for each critical function.
  • Consider the minimum level of technology necessary for continued operations.

Before you determine the risk, we must identify the function and rank them in order of importance. For example, we describe priorities as follows: essential, important, and non-essential.

The focus here should be to guarantee continuity of all essential and important functions and leave the non-essential as a secondary action plan that will only take place if the emergency is prolonged.

How does technology align to those critical functions?

Next, we should run a checklist of the available technologies and associate them with the functions from the previous step.

When running a checklist these are the three questions to consider:

  • What is the process and to which department does it belong to?
  • What is the technology hardware/software that’s enabling this process and where it is hosted? (cloud, private datacenter, etc)
  • What’s the percentage of individuals who have adopted the technology and feel comfortable using it?

A key aspect to consider not only is end-user adoption. Having the technology in place to enhance a process is one thing, but having every key employee using it properly is another.

In the blog “Top technologies every NYC business should have beyond 2020”, we describe some of the key technologies we helped businesses implement in response to the pandemic. We believe that technologies such as cloud computing and virtualization will provide a better option for organizations that are looking to align some of their critical processes to a longer-term remote working environment.

Evaluate risk of disruption and determine areas of investment

Once you identify the key technologies that will support your critical operations/functions, you need to evaluate the risk of disruption to prioritize the areas of technology investment that will support those essential and important processes.

You can start analyzing the risk/ impact a process disruption will have in your overall business performance by measuring these metrics:

  • The Recovery Point Objective (RPO): It determines how frequently backups should be taken based on how much data your business is willing to lose. Meaning, what would happen if email correspondences were lost? What systems, software applications, key documents and user clearances must be kept absolutely current in order to run the business?
  • The Recovery Time Objective (RTO): It determines how long a company can afford to be offline during and after a disaster.

These two metrics will provide a framework for deciding on technology investments. For instance, if there’s a process where information needs to be constantly updated and it's critical to the business’ operations (High RPO and RTO), investing in technology to enable this process will be a priority.

Now, remember that BCP is all about continuous improvement, so whatever processes you set up in your plan need to be tested and adjusted regularly. To do so, consider these metrics:

  • The Recovery Time Actual (RTA): The difference in time, if any, between the in-place and tested recovery strategy and the RTO.
  • The Recovery Point Actual: The difference in time, if any, between the current data backup and offsite storage process versus the RPO.

Deploy, communicate, and train end-users for different scenarios

A business continuity plan is all about being proactive, and communication and end-user preparedness will be significant in keeping your business going. For example, we had customers who had deployed Microsoft 365 and Teams back in 2019 as part of the core technologies providing employees flexibility using the tool daily. When the Covid19 emergency presented it was that much easier to have everyone working from home and there was zero operations interruption.

Communicating every aspect of your BCP to employees helps to create awareness of the critical functions, responsibilities, and roles. Training will then help to build their capability and confidence to enable a smooth transition from crisis mode to business recovery and ultimately to the business resumption phase.

Hope you found these steps clear enough. Business continuity planning does not have to be a daunting task if it is conducted logically and systematically. A robust and tested BCP with trained resources will go a long way in making sure that the organization is better prepared and more resilient in the time of a crisis.

About: Nero Consulting is a Top IT Managed Service Provider in New York City helping businesses implement, manage and train end-users in critical technologies such as cybersecurity, cloud computing, and more.