By Todd Fitzgibbon
December is commonly a planning month for me. I reflect on the success and challenges of the past year and evaluate what success will look like in the year to come with an eye on minimizing the challenges. This year is no different, however my planning was abruptly interrupted. By what you ask? Well, by a planned extended-vacation of an employee critical to our marketing operations. It’s been a busy year for us and this scheduled event snuck up on me, almost as if it were unplanned. Honestly, I’ve been scrambling the past two weeks to ensure this individual’s well-deserved vacation is peaceful, recharging, and devoid of any hint of work. Anyone in the marketing world knows that each and every campaign is an intricate ballet of untold creative, development, and production tasks. Our vacationer is responsible for a vast number of those on the production side. Their work involves intimate knowledge of our processes, extensive understanding of eight unique software applications, and daily collaboration with numerous cross-functional teams. They are going to be gone for 30 days!
It was this entire scenario and the scrambling for coverage that got me thinking….what is my business continuity plan? While I am already anxiously awaiting their return (they haven’t yet left!), what if the island breeze is too alluring to come back?
Think about the complexity of what I just described – personnel, process knowledge, numerous IT systems, interdependencies, and operational reliance. I suspect your business environment is considerably more complex than my department, perhaps exponentially. While reactive scrambling is an approach, it’s typically an approach to disaster; one that expends unnecessary effort, diverts your attention from defined objectives, and dramatically increases the risk of overlooking critical steps. Speaking of disaster, what if your organization is faced with a catastrophic event, one that impacts your ability to continue operations.
The Federal Emergency Management Agency (FEMA) estimates that 40 percent of businesses do not reopen after a disaster, and another 25 percent fail within one year. The primary culprit? The lack of preparedness.
It can be hard to fathom Mother Nature knocking down your door and taking out your business in one fell swoop. That kind of risk, even though statistics show it’s growing, is still fairly rare. What isn’t rare are the other threats to your business continuity, such as hardware and software failures, cyberattacks, and good old-fashioned human error. Your supply chain can also be disrupted easily if a vendor you work with experiences a disaster of their own that ripples out to your business; our vacationer alone relies on eleven vendors.
At some point, one of these issues will create downtime if you’re not ready for it.
It’s important to make a distinction here: being ready is much different, and much more efficient for your business, than simply recovering or scrambling. Being ready means having a plan before something untoward occurs.
What It Takes to Be Ready: The Anatomy of a Business Continuity Plan
A business continuity plan can become pretty complex fairly quickly, which is why it’s important to start with creating a team and governance structure at the outset. You’ll also need enterprise-wide visibility and top-down support for the initiative, since programs with an executive sponsor almost always fare better than those without. You’ll need that sponsor in place beyond plan creation and implementation (think up to a year, not three to six months); many programs lose momentum when cut loose too soon from the protective wing of a sponsor.
Once this infrastructure is in place, there are typically five basic steps for building a business continuity plan:
- Identify your critical functions, processes, resources, products, services and assets.
- Create a risk profile of potential threats to these critical areas of the business, and your tolerance for each.
- Develop mitigation strategies designed to help protect your critical functions, products, services and assets.
- Test the plan before you need it.
- Revise it based on testing, changing business needs, and shifts in the market.
The complexity starts when you unpack each of these steps of the plan. For instance, you’ll need to capture both upstream and downstream dependencies for your existing business process to identify where they could be derailed by a human or natural disaster. You should also understand how these processes touch your assets, such as facilities, infrastructure, apps—and those same components for vendors who may be critical parts of your processes. Once you have this understanding, you’ll need to test multiple scenarios to identify failure points, fix them, and then build a plan for restoring and recovering business-critical functions should they actually go down.
The Benefits of a Business Continuity Plan
There’s the obvious benefit of business continuity, which is simply maintaining operations and keeping revenue flowing so you can stay in business. But beyond that, a solid business continuity plan will solidify your brand perception and value with customers and the public, which has real-world implications for revenue generation. It also makes you more efficient in the event of a crisis, which helps with your bottom line. And since CISOs, CIOs, and CTOs the world over must demonstrate preparedness to the board and other stakeholders, a business continuity plan is simply good job security.
Rsam equips companies with a platform to simplify and automate many of the more complex aspects of creating and executing a business continuity plan. If you’re not so fortunate as to be on vacation this month, it’s an excellent time to start exploring or enhancing your plan now—waiting until disaster strikes is obviously too late.