You never expect bad things to actually happen to you. It is always someone else who has a fire, flood, accident, or destructive computer virus. Let’s face it—even a relatively mundane thunderstorm could send that big tree out in front of the office crashing through your roof, and your business life. Incidentally, I just read some U.S. Department of Labor Statistics figures that agency owners (and their clients) should see.
- 93 percent of companies that experience a major disaster are out of business within five years.
- Half the companies that experience outages of ten days or longer are out of business within two years.
In many kinds of disasters (floods, fires, tornadoes), the biggest problem in getting a damaged business up and running after an incident is lack of access to your office. That is why business continuity planning is so critical. Many businesses in New York’s World Trade Center area are still unable to return to their offices even to collect equipment or files. Only some of the WTC’s tenants had continuity plans that enabled them to establish emergency operations elsewhere in the days immediately following September 11.
Even a relatively small fire can seriously impede your ability to conduct business. Think about how long it can take to get phone or electric service restored after a storm-induced power outage. And consider the risk you run in being unable to service clients over a week or more of enforced downtime. Their business can’t wait on your eventual availability. If they contact another agency to help them while you are out of service, you could find yourself bumped from their “preferred” list altogether.
Agencies should have good continuity plans in place, and their employees need to be fully vested in these plans. In the wake of 9/11 and the ongoing threat of terrorism on our home soil, it has become even more important for businesses to look carefully at continuity planning to protect their assets, people and clients. Further, if you learn how to do this kind of planning for your own business, you can offer clients your assistance and advice in developing their recovery procedures.
What will it cost?
A typical continuity plan will cost between $25,000 and $150,000, depending on the size and complexity of the business. Be aware that there are professional organizations available to help businesses with continuity planning. In fact, there are thousands of active Certified Business Continuity Professionals (CBCP) and Business Continuity Managers (BCMs) working as consultants in the USA. You may want to consider partnering with such a professional to offer this service to your clients, or to connect clients with a continuity specialist as a goodwill gesture.
A Step-By-Step Outline for Developing a Business Continuity/Recovery Plan
A good business continuity plan is a recovery plan based on a thorough understanding of your business. Agencies must carefully assess which processes—and their crucial elements—are critical to maintaining business “almost as usual” throughout a crisis.
How vulnerable are you to potential disasters? Do you live in a hurricane zone, “Tornado Alley,” or on an earthquake fault? Are you located on the flood plain of a major river, or (given recent events) in a location vulnerable to possible terrorist attacks? List the possible disasters you could face. Your insurance provider could advise you on things that you should include, based on geography, location, and other factors.
Which of your facilities and processes are critical to your ability to continue daily operations and service key customers? Every business is different. Discuss this with your employees and department heads and try to cover all the bases.
What plans/precautions are already in place to mitigate or minimize the possible effects of a disaster or business interruption? Consider:
- Full insurance to cover replacement of structure and equipment.
- Current backup files (daily for critical business data and ongoing project work; at least weekly for other files; archives for historical files).
- Payroll insurance to cover lost workdays.
- Capital and extra expense insurance to finance the recovery plan without hurting profits.
- Prevention planning – existing security measures and procedures, like multiple offsite backups, the firewall on your server, fire extinguishers in key locations, anti-virus software, backup copies of critical software application install discs, etc.
- Media relations planning – If you are a publicly traded company, you need to be prepared to inform shareholders and investors of the situation and reassure them of your ability to continue business activities relatively unimpeded by physical problems.
- Current employee contact information – Are all of your employee files up to date? Do you keep a current contact list offsite (preferably in multiple locations) to ensure all can be notified immediately in an emergency?
Business Impact Analysis
List your critical business processes. In an average agency, these would include accounting, creative, account service, new business, traffic and production, e-marketing, media, public relations, new business, etc.
Determine the amount of time your critical business processes could be inoperable without significantly impairing your ability to conduct business and serve clients. This is sometimes called the RTO (Recovery Time Option).
List the required internal/external functions and resources that support each critical business process. Include:
- IT systems
- Computer hardware/software
- Communications networks
- Internet access
- Business records
- Paper-based files
- Trading partners
List potential contingency options for recovery of critical business functions within your RTO.
Make sure you consider all contractors and service providers that provide critical services (web-hosting, web-based data storage, freelancers, strategic partners, et. al.). This strategy is tightly bound to your Mission Statement. If “giving the best service to our clients” is your mission, the account/client service process should have first priority.
Business Continuity/Recovery Strategy
List critical business processes in order of priority.
For each critical business process, prioritize critical functions and resources.
Establish the RTO for each critical business process. They will vary based on priority.
Determine alternative sites for internal/external:
- IT systems
- Critical personnel
Drafting the Plan
Now you are ready to draft your plan. The following action items should be included:
Conduct an audit of your current backup procedures for databases, networks, hardware, work sites, key personnel, records, etc. Bring all backups up-to-date, make sure you have duplicate sets of offsite backups for all critical data and records, and then set up a regular audit schedule to ensure that these stay current.
Establish recovery procedures for critical business processes. Who collects backups and where do you plan to set up your “emergency command center”? Where will you get phones, computers, furniture, etc?
Establish recovery procedures for critical business process support functions/resources.
Identify recovery tasks (the “Recovery To-Do List”). In addition to reestablishing an “office,” these would include calling clients, contacting contractors and partners, checking in with vendors and service providers, etc.
Assign recovery tasks to teams/individuals. Each employee takes responsibility for specific items.
Consider “escalation scenarios.” Develop procedures to deal with such incidents. A good initial response can go down the tubes if something else happens to compound the original disaster.
Develop continuity/recovery plan implementation procedures. Draw up a “Crisis Call List” for contacting key personnel and activating the recovery procedures.
Set up a testing schedule and procedures.
Establish a plan maintenance schedule. This is very important. A recovery plan that is not regularly reviewed and updated will probably fail because it will not include vital updates to systems and software, or changes in critical process priorities. We recommend that agency principals sit in review of their continuity plan at least every six months and adjust it accordingly. Ideally, changes in systems, procedures, staff, clients, etc., should automatically be factored into the plan as soon as possible.
Make sure new employees are vested in the plan as soon as they complete probation and become eligible for benefits. With the goodies come the responsibilities.
When you solidify your procedures, publish them in booklet form and distribute them to employees in a big meeting. Stress how important the plan is to protecting the agency, and their job security. All personnel should have copies to keep at home, with their assigned tasks highlighted for speedy reference. Then conduct a “fire drill” to verify that your plan works and all critical processes have been identified and included. This will also clarify that employees understand their responsibilities for recovery procedures, and will give them some security. Few things are more calming in a crisis than the sense that “we are in control—we can handle this.”
Now… submit a press release about your foresight and planning abilities to the local papers. In the present climate of heightened security concern, we bet you will get some calls about helping businesses draft their own continuity/recovery plans.