When a disaster strikes your business, what are the steps you take to stay operational? How do you communicate with your employees? What do you need to do to recover and get things back up and running? How do you keep producing?
The answer to these questions (and more) lies in the creation of a business continuity (BC) plan.
BC planning is often associated with cybersecurity events or incidents, but it’s important to consider other instances where outside influences can cause disruptions.
This might include a natural disaster or weather-related incident, data center failure (like many saw late last year with AWS Cloud Services), extended black outs or power outages, and much more.
A BC plan answers the following questions:
- If I don’t have my ERP system, how am I going to produce?
- Do I ship what I normally ship?
- What should be communicated about the attack to customers?
- How do I print labels or conduct inventory?
Where to Start
The first step in planning for business continuity is conducting a business impact analysis (BIA) that identifies the impact of a loss of critical processes that keep the business going, usually related to the cost of not being operational. This highlights the absolute minimum functions of the business that are needed to keep producing, processing, and ultimately, make money.
- Assess your risk. Engaging in a security review of your organization’s technology systems may be a good place to start. Additionally, if your processing plant is in an area of the country that’s susceptible to power outages, hurricanes, floods, or extreme weather, that kind of risk needs to be addressed.
- Identify stakeholders. Since BC planning involves the entirety of the organization, multiple business areas will need to be involved. Start by identifying who makes the most sense to represent these areas.
- Look at critical functions. In the world of fresh produce, time is of the essence and processing needs to resume as quickly as possible. However, there might be some leeway with other functions of a business that are not necessary to keep the business going. Starting a BC plan involves taking a serious look at which is which.
- Determine acceptable downtime for each. When identifying the critical functions above, determine how long each can be inaccessible for a day, a week, or a week, and what the loss might look like.
What is Covered in a BC Plan?
Every company is a technology company. And while involving the IT department in BC planning is a critical component in this planning (see my previous article on incident response planning), they are only one piece of the puzzle.
True business continuity covers the entire organization: business processes, assets, human resources, supply chain partners, and more.
For example, when time and attendance software system Kronos cloud offering went down for a very extended period, organizations responded differently. In some instances, companies were able to manually calculate pay based on previous pay periods and replicate the information as closely as they could until a resolution was reached.
In other cases, such as a Coca-Cola distributor in West Virginia, many employees were shorted or received no wages at all for full-time work.
The results of those responses directly impacted the employee’s morale and the impact the event had on the company. This is one of numerous examples of businesses affected by outages or cyber events that didn’t have a BC plan in place. Organizations should use this as a lesson.
The BC’s focus is the continuity of the business despite the loss of access to critical components related to the supply chain and these considerations should be made within the plan:
- How to communicate with employees in the event that email and internal communications channels are severed
- Dependencies between business areas and functions
- Meeting the needs of vendors and customers
- Whether to outsource critical functions, such as IT services or even manufacturing if complete losses are present
The BC plan should also describe how you return to normal operations once technology systems are restored.
Document the Steps
One tool that is essential is a checklist for each department’s involvement in recovery efforts, as well as the entire plan. This should include information like the location of backups, where the plan is available and who has access to it, contact information for key personnel, and more.
But more importantly, the plan shouldn’t be stored solely on your server. It should be accessible even when your technology systems are down.
Test, Test, and Test Some More
At the end of the day, you can put a plan in place to respond effectively to an outage or cyber incident, but if you don’t test each piece of the plan, you won’t really know if it’s what’s needed when an incident occurs.
This gives your organization an opportunity to address potential gaps that may arise and improve areas that may not seamlessly address potential challenges. There are a couple of ways you can test your plan including table-top exercises, structured walk-throughs, or disaster simulations.
The Bottom Line
Having a plan in place for your organization can go a long way in helping you get back up and running and can add some peace of mind for your employees, investors, vendors, and many others that you’re prepared to handle whatever might come your way.
