This post is part of our 8-part series exploring the role of data in business recovery and planning in the era of COVID-19. Read the rest of the articles here.
A disaster or emergency can threaten the very survival of a business or cause huge damage to customer relationships, profitability, employee well being, and assets.
In order to mitigate these potential fallouts of an unforeseen event, every organization must have a business recovery plan in place. This plan documents a clear course of action to be followed in the event of an emergency. The business recovery plan is created with a view to maintain the critical revenue path of your products or services or at least restore them within the shortest possible time.
You need to develop, deploy, and maintain strategies and procedures that will ensure that critical business processes are resilient. These will enable your business to respond to and recover from possible events or disasters. The underlying approach to planning can be summed up as PPRR - prevention, preparedness, response, and recovery. We can attempt to prevent certain events or incidents, but for those that are beyond our control, we need to focus on our preparedness to respond and recover quickly.
A study by Gartner found that two out of every five organizations that experienced a disaster went out of business within five years. This finding is a wake-up call to take business recovery planning very seriously. You can ensure that your business will be one that will be counted amongst the other 3 by adopting the following best practices of business recovery planning.
Plan with data-driven decisions
In a previous post on How to Leverage Data to Create an Effective Business Continuity Plan, we explored the 5 steps towards creating a BCP, namely:
- Business Impact Analysis
- Risk Assessment
- Risk Mitigation Strategy
- Crisis Management Team
- Test and Maintain
Planning enables you to put risk mitigation practices in place, by considering each risk to see whether you can avoid or reduce it. Some of these practices may include creating alternate supply chain sources, safeguarding revenue streams, backing up data, purchasing appropriate insurance coverage, and creating a cash reserve fund.
The effectiveness of the plan depends upon your ability to correctly identify the most critical processes for your business. You need to estimate what the downtime of each of these processes will cost you. You also need to assign probabilities to a variety of possible risks.
It's important that these decisions are taken based on past data that's available within the organization as well as from external sources such as public health, as seen during the pandemic, or weather centers, during storms and hurricanes. If this data is not properly maintained and analyzed then your plan will be based on gut feel and will not deliver the full value that it should.
Let’s consider potential risks. Businesses face a variety of risks. While some risks are specific to a particular industry or company, others can affect all kinds of businesses. The COVID-19 global pandemic has affected businesses across all sectors and geographies, and other epidemics or pandemics in the future may also wreak such havoc. Natural disasters such as earthquakes, tornadoes, hurricanes, winter storms, wildfires, or floods cause damage in specific locations. Industrial accidents such as chemical explosions, fires, or spillage of hazardous material may also pose a risk to your business. The failure of utilities such as power or water supply can cause disruption to your operations. Then there is the risk of deliberate sabotage by way of information theft or other attacks.
When you need to assess risks, working with data can provide granular insights about specific risks to facilities, teams, or locations. Data also plays a huge role in ensuring accurate business impact analysis. Scenario analysis based on data can help to consider the outcome of various possible events, and select the right risk mitigation strategies.
Detail the recovery procedure
A detailed business recovery plan is an important part of overall business continuity management. Consider each of the following aspects and define the procedure to be followed when restarting after an incident:
- Which functions can be restarted and under what conditions?
- What is the correct sequence for restarting, for example, machinery, servers etc?
- Which roles will work through the incident, which will restart afterwards, and under what conditions?
- In case anyone is injured, what is the emergency medical protocol?
- Is there a need to relocate any facilities, functions or people? What will be the relocation process?
- Keep an inventory of the essential items that will need to be available. What is needed to meet customer needs? What is essential to maintain communications? Plan for vehicles that will be needed for transportation or relocation.
- What happens if your payroll function gets disrupted? How will you take care of your employees’ financial needs?
- Who will collect the evidence needed to file insurance claims?
- If there is damage to physical or cyber security, how will you prevent fraud or theft?
- Who will communicate to external stakeholders - families of staff members, customers, investors, members of the press, and others?
- Who will manage documentation and evidence to protect you from legal liabilities?
The business recovery plan is created after thinking through each of these questions, and finding solutions that are specific to your business.
Create a continuity mindset
A business recovery planning exercise done once, with the objective of creating a formal plan, will not help your organization to build the necessary resilience, no matter how great the document produced is. Do people across functions know what is expected of them and feel a sense of ownership about the recovery plan? What if the document or file is not accessible when an incident occurs? Will key people still know what they are responsible for?
Consider these questions carefully and engage team members to actively participate in continuity management. This safeguards the interest of your customers, employees, and their families, supply chain, and investors. It protects your brand, assets, and knowledge. Company leaders should not believe that business recovery planning is only related to IT systems and data, and is the exclusive responsibility of the IT function. Actually, business recovery should be an enterprise-wide focus and consider the needs of all functions in case of a disaster.
Provide training and conduct drills so that employees are familiar with their responsibilities in the event of a disaster. See that the BCP includes communications processes. You could define a call tree or phone tree that defines a calling sequence to ensure that everyone gets notified quickly. Contact information for employees, suppliers, customers, financial institutions, and other important stakeholders should be known and readily available at all times. Your training for employees could also include instructions about what can be shared on social media during a crisis.
While many plans focus on the crisis management team (CMT), you may choose to create other specialized teams. The recovery management team could be tasked with executing functions related to restarting operations. In addition, you may create teams specifically responsible for legal matters, damage assessment, PR, data recovery, and so on.
You can allocate responsibility for various components of the plan by assigning an owner and a reviewer. Stakeholders should be able to see when the plan was published and editing rights should be carefully controlled.
Most importantly, you must list the people who are authorized to invoke the plan and under what circumstances.
Review and maintain the business recovery plan
The business recovery plan must be current, tested, and available to stakeholders for it to be an effective means of building a resilient organization.
Over time, your business can evolve - people change, locations change, new equipment or facilities get added, and contact information changes. The nature of risks to your business also changes with time. For this reason, a regular review of the business recovery plan is essential. Do schedule an annual review of the BCP. This is the time to update the plan to better reflect the current realities of business. When you conduct exercises and drills, follow this up with a review to check whether things went well or whether the plan needs to be tweaked, and make changes if needed.
You may choose to invite an external consultant to review your business recovery plan and readiness. In this case, select a consultant who has conducted this exercise in multiple organizations so that you can benefit from the experience.
By following these best practices of business recovery management, you can help the stakeholders of your business achieve a state of readiness to overcome challenges and uncertainty.