Developing a business continuity plan has long been considered a luxury that only large enterprises can afford. The reality is, business continuity planning (BCP) is a necessity for all companies, and small and midsized businesses (SMBs) are often perceived as being less disaster resilient than large, geographically dispersed multinational companies. Part 1 of this two-part series addresses why SMBs need a business continuity plan.
What is business continuity planning?
The terms BCP and disaster recovery (DR) planning are often used interchangeably to describe an organization's ability to survive a disastrous event. However, most contingency planners now consider DR planning a subset of BCP, which itself is a subset of risk management. BCP reduces the impact of an interruption to a level that is acceptable to the business.
A business continuity plan is developed based on these key elements:
Business impact analysis:
- Understanding the business (what it does, who does it and how);
- Calculating the impact on the business should its critical processes be interrupted;
- Identifying the dependencies for these processes (people, infrastructure, tools, records, etc.)
Risk assessment:
- Threats to which the organization is subject and its vulnerabilities
- The probability of those threats materializing
- Controls in place to mitigate or reduce the risk
Communication:
- Knowing what to do, how and when to do it and what to say in the event of a crisis
Of course, the above information does not mean much if the procedures are never tested or they are allowed to become outdated. Hence, the program must also include BCP testing, training and updating.
Why is BCP important?
Traditionally, BCP was viewed as a process that was reserved for Fortune 500 companies. SMBs had to be content with daily tape backups sent off site. SMBs have the same continuity requirements as large enterprises, albeit on a smaller scale. They, too, have customer and market demands to satisfy, employees to pay, revenue streams to maintain and, in many cases, shareholder investments to protect.
Some of the drivers for implementing a business continuity program are summarized below. Note that while these drivers apply to organizations of all sizes, they are particularly important to SMBs, which typically have fewer financial and staffing resources to weather a crisis.
Competitive advantage: Many partnership or supplier agreements include clauses that require certain service levels in the event of a disaster or business interruption. Having a plan in place gives a company a competitive edge over those that don't.
Legal implications: Industries beyond banking are legally bound to have a contingency plan in place because of regulations such as the Sarbanes-Oxley Act.
Insurance premiums: Many insurance companies now factor in a company's level of disaster preparedness as part of the risk calculation. Some companies have seen significant reductions in their business insurance premiums based on a measurable level of preparedness.
BCP planning is primarily intended to protect a company's assets, such as people, revenue flow, records and intellectual property and infrastructure. Beyond contributing to the prevention or mitigation of tangible losses, BCP is also essential to protect an organization's reputation in the event of a disaster or major interruption.
A BCP, even if incomplete, is better than no plan at all. At a minimum, it should ensure that roles and responsibilities are clearly defined. It should also include tested procedures that focus on the safety of employees and the timely resumption of business-critical and revenue-generating activities.
Stay tuned -- Part two will explore the business impact analysis element of a DR plan from an IT perspective.
Pierre Dorion is a business continuity consultant at Mainland Information Systems Ltd. in Calgary, Alberta, specializing in business continuity planning.
