The COVID-19 crisis has forced businesses to tackle a multitude of challenges over the past few months, but one of the most important involves the business continuity (BC) plan. Many companies learned too late that their plans were inadequate, lacking interoperability with other critical plans for crisis management, disaster recovery, and pandemic readiness.
Many business contnuity plans are either too high-level to offer any real actionable detail or consist of content that is out of date. In other instances, plans place too much emphasis on short-term disturbances and forsake long-lasting disruptions. Many also gloss over pre-event preparations and work acceleration strategies.
The pandemic has reset expectations. While CIOs have a vested interest in the effectiveness of BC plans – after all, they ensure essential activities can withstand a variety of disruptions to keep the business running as IT reinstates services after an incident – resilience should be a company-wide priority.
[ Also read: Digital transformation: Why data leaders must play offense during COVID-19. ]
1. Build your business continuity plan foundation
As you reimagine your entire business resilience program, here’s what your BC plans should include. Effective BC plans start with the following five essential framework elements:
- Objectives: What will the plan cover, and how does it fit into a larger organizational response to disruption?
- Activation procedure: What sets the BC plan in motion? Who is involved, and what resources — i.e., backups, workplace recovery facilities, etc. — are available?
- Priorities: How will you communicate with staff, vendors, customers, and others? What are the most business-critical applications and systems that you need to focus on reviving?
- Assumptions and limitations: You can’t foresee every disruption, but you can detail limitations in your plan to allow for effective decision-making. Identify limitations in the extent, duration, and impact of your plan.
- Standing down procedures: Determine your criteria for saying an incident is closed and how to extract lessons learned from the experience. This section can also include an appendix of relevant resources, from templates like action logs to meeting agendas.
Within this framework, there’s a lot of room to customize for your size, maturity, compliance requirements, and other factors. While every organization’s BC plan approach will be unique, it’s important to consider the following aspects when designing your plan.
2. Develop response strategies if key resources are unavailable
Effective BC plans must include well-defined strategies and actions for responding in the event that key resources become unavailable. These could include:
- Workplace
- Equipment
- Workforce
- Third-party services
- IT services
- Data
You need to have planned business responses for each of these disruption scenarios, and they must be at the individual resource level. Generic statements that convey the “what’s” without the “how’s” aren’t helpful. For example, if your inventory management system is unavailable, how will you continue your receiving activity? Be specific in your plans.
IT must be aware of the part it plays in enabling disruption response strategies. For example, remote working is one possible business response for workplace unavailability. In that event, IT might be tasked with upgrading your company’s virtual meeting service and expanding the IT help desk staff.
[ Read also: LogMeIn CIO: This is IT's time to shine on business continuity and Moving from COVID-19 crisis leadership to strategic leadership. ]
However, in a workforce unavailability scenario, your solution might be to transition work to personnel in another geography. In this case, IT’s response might be to adjust network configuration in anticipation of increased volumes from a network node.
BC planning is also essential within IT, which relies on people, workplaces, equipment, third-party services, supporting systems, and data. Put comprehensive BC plans in place for key IT activities where ongoing service levels are of paramount importance. This includes:
- Network operations centers
- Information security operations centers
- IT help desks
- Disaster recovery teams
3. Work out timing for each response strategy
Timing is critical.
Determine the anticipated time to implement each of your defined response strategies, as well as how long each strategy can remain effective.
For some strategy options, the goal should be quick implementation times. For others, focus on ensuring the response strategies will be effective for sustained timeframes – ideally three to six months or longer.
Let's look at two more important elements: