From earthquakes to cyberattacks, there are a wide range of threats and disasters that can affect organizations, and in the modern era, the variety of disasters continues to increase.
Since 1950, the total number of annual disasters as well as the total cost of each disaster has increased more than 200 percent, according to the Federal Emergency Management Agency (FEMA).
These disasters are becoming harder to predict. For example, how do you predict a cyberattack, a terrorist attack, or a fire? It’s nearly impossible to know when these disasters will strike, and yet any of them could result in complete failure for an organization. In fact, FEMA states 40 percent of small businesses will not reopen after a disaster; 25 percent fail within the first year, and 90 percent fail within two years of the disaster. Additionally, FEMA research shows businesses that experience significant data loss will fail 93 percent of the time within five years.
There is hope for business owners or facility managers who are terrified by the thought of an unpredictable disaster destroying the fruits of their labor. A well-crafted business continuity plan—which, at its core, is a strategic plan that allows an organization to continue operating in the wake of disaster—will help to mitigate, or in some cases, even prevent, damage from disasters.
However, not all business continuity plans are created equal; there are steps that can help to ensure you have the most effective and efficient plan in place. Edward Buikema, an instructor from the University of Chicago’s Graham School of Continuing Liberal and Professional Studies, provided the following step-by-step guidelines during a 2017 CMM webcast.
Companies must evaluate three areas of their business before moving forward with developing a plan.
To effectively analyze possible hazards, you must understand the environment in which your organization operates to decide which threats pose the greatest potential danger to your organization. For example, tornados may not be prevalent in certain areas of the United States, but can be a huge concern for a business or facility operating in a more tornado-prone location in the Midwest. Conversely, terrorist attacks may be far more relevant to a city-based business than they are to an organization in an isolated location. With threats varying from a nuclear powerplant meltdown to natural disasters, it is important for you to spend significant time analyzing your environment.
Assets and Vulnerabilities
Next, you must assess the assets at risk. These may depend on the specific disaster, but can include variables such as employees, the supply chain, equipment/systems, property (buildings, infrastructure, or vehicles), reputation, or anything crucial to the operation or income of the organization. You must compile a complete, prioritized list of your organization’s vulnerabilities to ensure the plan protects as many of the assets as possible but focuses on the most crucial assets to operation and those at the highest risk.
Think about the effects and negative impact a disaster could have on the business, such as a lawsuit, property damages, casualties, financial loss, or interruption of operation.
After completing a thorough analysis, it is time to develop a plan that addresses the following:
Preventative measures are by far the best way to deal with a disaster, as they can serve as a roadblock before any damage is done. An example of a preventative measure would be upgrading your firewalls to prevent cyberattacks. Installing lightning rods is another example; putting them in place can help guard against electrical damage caused by storms. Integrate preventative measures into your business continuity plan whenever applicable; if budgeting is an issue, implement measures to prevent the most common or impactful disasters.
The goal of mitigation is to minimize the damage or losses resulting from the disaster. One example of mitigation is flood insurance. Although insurance won’t stop a flood, it will lessen your associated financial losses. Put mitigation strategies into place for all the possible impacts that you previously outlined in Step No. 1.
Response is any action taken to prevent further financial loss, property damage, injuries, or other damages from the actual disaster. Your response strategies can range from moving building occupants to the lowest floor during a tornado to having a crisis-control public relations firm on speed dial. You should spend time implementing proper and effective response protocol to greatly reduce all types of losses from the disaster as well as protect your organization’s reputation by making it look prepared and capable. The efficiency of your response protocol will determine how well your organization handles a disaster.
A recovery strategy can include an action, procedure, piece of equipment, or space, but has a goal of returning a business to the minimal acceptable level of operation as swiftly as possible. Some examples of recovery strategies are lines of succession, back-up generators or hard drives, contracting with third parties, or utilizing a secondary business site.
Similar to every aspect of your business continuity plan, your recovery strategies must be catered to your organization or facility. For example, a manufacturing company does not need the same recovery strategies in place as an investment banking firm. The manufacturer is more concerned with strategies that keep the cash flow and production levels as close to normal as possible, while an investment banking firm would be much more concerned with protecting its reputation and the security of its files.
The specific potential impacts outlined in Step No. 1 dictate the proper recovery strategies to deploy. Once your organization has outlined the necessary recovery strategies, conduct a gap analysis to determine the “distance” between the resources it has and the resources required to execute these strategies. You must close these gaps to have a successful plan. Adequate resources are crucial to successful deployment; without them a recovery strategy is just an idea, and the business will suffer as a result. Once all resources are available, put the recovery strategies in place and ready to be used should the need arise.
A plan is only as good as it’s executed. Like a machine that needs all its moving parts in sync, a plan must be understood and able to be implemented by all employees. The only way to be sure that this happens is to continuously practice it.
Organizations must also continuously update their business continuity plans, not only address changes within the organization, but changes in the world. Twenty years ago, cyberattacks were not an issue, but now they are a real threat that plague businesses. Keeping the plan up to date and timely will ensure its effectiveness for the lifetime of your business.
The key to success is preparation; to outwit, out plan, and out maneuver the competition. Benjamin Franklin once said, “If you are failing to prepare, you are preparing to fail.” Businesses have plans in place for countless events that may affect operation, yet many fail to protect themselves from disaster. Since disasters are difficult to predict, you must prepare, create a business continuity plan, and stop leaving the future of your organization to chance.