This post is part of our 8-part series exploring the role of data in business recovery and planning in the era of COVID-19. Read the rest of the articles here.
A business continuity plan outlines how an organization can continue operations even when faced with significant disruption. Business continuity planning must start with considering a range of possible threat scenarios, and then document how to maintain business continuity through those incidents. The business continuity plan, often referred to as BCP, may also incorporate a variety of tools and models, or it could be made up of simple checklists, task sequences, and contact lists.
The time and effort that you invest in business continuity planning enable your organization to return to normalcy sooner after a crisis. The plan can also help you to minimize the financial impact of any unplanned incident, crisis or disaster. Business continuity planning can help you deliver services to your customers with the least possible disruption, thus protecting your brand and preventing customer attrition. A good business continuity plan also minimizes the impact of a crisis on the wellbeing of your own staff.
We look at the methodology of business continuity planning in conjunction with the data that is required to arrive at the right decision at each stage. You can get the benefit of effective business continuity planning only when you have accurate, timely and relevant data on hand.
The 5 steps of a successful business continuity plan
Business continuity planning ensures alignment between processes, technologies, and people in order to overcome a crisis. The planning process takes a holistic view of the business and addresses the strategy, responsibilities, and infrastructure needed. The business continuity planning process is a mature and well-defined methodology, and most experts list five steps. However, we will examine each step from a practical application perspective, and also see how data analytics can help you to make the right decision at each stage.
1. Business Impact Analysis
The first step is to identify the business operations and processes that are most critical, and the resources needed to support them. Once you have identified these important business functions and supporting services, you can then estimate how critical each one is. You must also determine the upstream and downstream dependencies that affect your ability to deliver.
What does the downtime of a specific resource cost you? Data analytics can help you calculate this based on actual historical data. What if your office suffers a power outage? Or if the building of your manufacturing facility is damaged? What if customer service teams are not able to come to work? In each of these cases, your business pays a cost that is made up of multiple elements.
A platform like InsightOut can help to conduct the business impact analysis or BIA. You can estimate the costs of downtime by drawing data from multiple systems. Once you bring all the critical processes onto one platform, you can rank them based on their downtime cost. You can also consider one more variable: the maximum time you can afford to have that particular function down. So considering these two variables, you can arrive at a prioritized list of critical functions that should be the focus of your recovery plan.
2. Risk Assessment
Now we need to identify the principal classes of threat and the potential impact of each on our business. You may assign a qualitative value to each risk such as minimal, low, medium, and high. Some people prefer to work with a quantitative value. This is calculated by assigning an estimated value to the likelihood, and a value to the estimate of damage. Then those two values are multiplied to arrive at the quantitative risk assessment. Whether you choose to work with the qualitative or quantitative indicator for risks, you need to assign a value for the likelihood of each one.
A data analytics platform can be used to effectively estimate the likelihood of a particular risk. You can analyze data available in the organization as well as from external sources. Let's consider the recent pandemic. If you need to estimate the risk of your staff getting infected with the COVID-19 virus, then you may need to consider the trends of spread around your company locations. The trends will change over time and the data analytics platform enables you to update your risk assessment dynamically. If you live in a zone prone to hurricanes, you can estimate your risk from one and update it if a particular hurricane is developing.
3. Risk Mitigation Strategy
In the event of an incident what will you need in order to get the business back up and running? What will be the specific actions to be taken and in what sequence? This part of your plan may list certain alternate resources such as premises or suppliers that you will require.
It is a good practice to have a disaster recovery contract in place, specifically for IT facilities. This is a contract with a vendor who will provide equipment, facilities or services in the event of a disaster. If you do not have such an arrangement in place, you may want to evaluate it now. The contract usually specifies that you can test the equipment that will be provided. There may also be some provision for rehearsing the disaster recovery plan. The vendor is likely to charge fixed fees plus cost for actual usage.
You could also include technical details and instructions in the risk mitigation part of the business continuity plan. These technical details could be related to the sequence for restarting a production line or data servers, or anything else that's relevant to your business.
You will need a cost-benefit analysis to decide your risk mitigation strategies. What happens if you have the highest possible level of risk mitigation readiness or if you have none at all? The actual optimum level lies somewhere between those two extremes. To find that point, you need to understand the cost of business downtime. Your retail outlets or production facility could be closed for a short time, and the cost of this shutdown to your business may be quite small. If the shutdown extends for many hours or days or weeks, the cost increases very sharply due to a greater loss of customers, reputation, and revenue.
Now consider the level of readiness you need. While replicating every server, facility and equipment may take care of every risk, obviously, that’s too high a cost and probably unviable. So what are the minimum resources you will need to maintain the maximum possible uptime while damage is repaired?
The scenario analysis capability of a data analytics platform like InsightOut can help you to identify the right risk mitigation strategies. You can work with past data to see the scenarios for a variety of different risks as well as readiness levels. This can help you to find the optimum readiness for each risk factor.
4. Crisis Management Team
It's essential to identify the Core Team of leaders who will take charge in case of a crisis. These form your crisis management team (CMT) or your business continuity team. They will need training and should be sufficiently familiar with their role in the business continuity plan so that even if they lose access to files, they know what to do.
In small businesses that don't have a separate risk and continuity function, IT managers are often given the responsibility of business continuity as they have a view of the entire operation and know what the vital services are, and how to deliver them. The business continuity team must collaborate with functional managers to identify the essential business functions, assign recovery objectives and criticality.
Beyond this core team, your entire staff need some basic training on a crisis management plan. They should know whom they must call and what are the do's and don'ts for them.
5. Test and Maintain
Does everybody have the necessary training, and will things work as defined in your business continuity plan? The only way to know is to conduct exercises, test your readiness, and make improvements. The BCP itself needs to be reviewed periodically and modified as required. The type of functions that are most critical to you may change over time. Potential risks to your business will also change. For these reasons, business continuity planning is not a one time exercise but rather should form a continuous planning cycle.
You could test your plan between two and four times a year. Some of the testing techniques used are table-top exercises, structured walk-throughs, and simulations.
As we've now seen, data can play a huge role in business continuity planning by predicting the possible crises and analyzing various risk factors and their impact. Data analytics can help to create the risk mitigation strategies that will deliver the best cost-benefit advantage.
For more information about implementing a data-driven business continuity plan for your organization, reach out to our team here.