Why Your Company Needs a Business Continuity Plan

What if – due to a natural disaster or a crippling cyber-security breach – your company couldn’t function for a day? Or a week? Or a month or more? Could your business survive?

If you have a Business Continuity Plan your chance of success is immeasurably improved.

A Business Continuity Plan is a well-thought-out plan to continue operations if a place of business is affected by any level of disaster such as an extended power outage, virus invasion or network meltdown, a localized disaster such as a hurricane or terrorist attack, a supply chain interruption, or the permanent loss of its building due to fire or flood. It also includes some preventative measures. Without a plan, statistics show, businesses struggle to spring back to life.

According to a report on readysmithadvisers.com:

  • Within two years after Hurricane Andrew struck in 1992, 80% of the affected companies that lacked a business continuity plan failed. (FEMA)
  • 80% of businesses suffering a computer disaster, but have no disaster recovery plans, go out of business. (“A Bridge Too Far”, IBM Business Recovery Services & Cranfield, 1993)
  • About 60% of businesses that experience a major disaster, such as a fire, close within two years, according to the Association of Records Managers and Administration.
  • More than 40% of all companies that experience a disaster never reopen, and more than 25% of those that do reopen close within two years, according to Labor Department statistics.

If you’re unsure whether your company needs a Business Continuity Plan, try shutting down your server and internet access for a few hours. If you can continue normal operations, maybe you don’t. But if you and your employees are idle and you’re edging into panic, you most definitely do. Of course, that’s not even considering that your building might be destroyed, or you can no longer purchase the goods you need to operate.

Some things to consider as you – and your team of IT professionals, managers and key employees – begin thinking about creating and enacting a BCP:

  • How long can we be down?
  • How much data are we willing to lose?
  • What applications are the most critical in running the business?
  • Do I have a way to contact all our employees in an emergency?
  • What products/vendors are vital to our operations?

Some high-level things you’ll need to address in your plan:

  • Identify Potential threats and risks: Natural disasters such as hurricanes or floods, equipment failures, computer virus or cyber-attacks, fires, social unrest or terrorist attacks, human error
  • Identify people, places, providers, processes and programs that are critical to your business:
    • Who and what is absolutely necessary to restore critical operations?
    • What are our priorities, in terms of reestablishing operations?
  • Where could we go in the event our building is unusable?
  • How can we ensure redundancy for our critical operations?
  • Ensuring our BCP is accessible even if our systems are not

Adopt controls for mitigation or prevention:

  • Define and appoint an emergency response team.
  • Create a communication plan for management to all employees.
  • Develop a resource management plan.
  • Enact public relations, if necessary, to protect your brand.

Test and maintain the plan routinely:

  • Test the plan at least yearly
  • Update the plan quarterly

Don’t know where to start? The Sans Institute has a great white paper on how to go about creating a business continuity plan: https://www.sans.org/reading-room/whitepapers/recovery/introduction-business-continuity-planning-559. Additionally, TNSC can assist with setting up a Business Continuity Plan for your company.