By Veronica Baxter:
Today, businesses both large and small face unprecedented challenges. Natural disasters such as hurricanes and fires, widespread power outages, political unrest, and the pandemic have affected the operations of thousands if not millions of businesses in recent months.
If you own a business and are thinking about creating a business continuity plan and a disaster recovery plan, you are prudent to do so. This article will define each type of plan, explain the differences between them, and set forth their essential components so that you can get started. Be prepared for that next emergency.
What is a Business Continuity Plan?
A Business Continuity Plan is a plan of action that you create that ensures that the business continues to operate if disaster strikes. The plan provides in advance the contingencies, procedures, protocols, and back-ups for all aspects of operations that employees follow in an emergency that would otherwise halt operations.
Having a Business Continuity Plan is not just a good idea – it may be mandated by state or federal law. For example, financial institutions are required to have a business continuity plan. Businesses in the healthcare industry must have a business continuity plan to comply with federal HIPAA requirements.
What is a Disaster Recovery Plan?
A Disaster Recovery Plan is your process for getting essential IT infrastructure and operations up and running following an outage, whether an electrical outage or computer failure or security breach. It is an essential part of any Business Continuity Plan.
As part of an effective Disaster Recovery Plan, you will establish procedures for restoring each application in your IT structure, determine how long it will take to restore from back-ups and perhaps find ways to improve that, establish where are those back-ups stored and how they are secured, and assign responsibility for initiating and directing the restoration.
Without a Disaster Recovery Plan, a business faces the following risks:
- Financial loss – lost profits, government fines for data breaches, court sanctions
- Damage to the reputation of your brand due to negative publicity
- Loss of customers or suppliers due to your inability to perform under contracts
What is the Difference Between BC and DR Plans?
The Business Continuity Plan is the overarching and controlling plan by which a business retains functionality during an emergency. The Disaster Recovery Plan is the data recovery preparedness part of your Business Continuity Plan, providing for the restoration of normal communications, hardware, and IT functions. Its purpose is to minimize downtime and restore normal technical operations as soon as possible.
What Should My Business Continuity Plan Include?
A Business Impact Analysis
First, conduct a Business Impact Analysis (BIA) to assess the risks to your business operations. A Business Continuity Plan should provide for mitigating the risks included in your BIA, which will likely include these among others specific to your industry:
- Loss of electricity
- Death or loss of a key employee
- Severe damage to or destruction of your business location
- Machinery or equipment failure
- Loss of a supplier
- Failure of IT systems
- Data breach
- Theft of intellectual property
- Suffering from or creating environmental hazards
- Lawsuit judgments or court sanctions
- Government fines
Devise Strategies to Mitigate Risk, and Implement Those Strategies
By assessing each risk’s potential impact on operations, you can implement appropriate procedures, back-ups, and safeguards to mitigate that risk.
Establish Procedures for Employees to Follow in an Emergency
Once you identify risks and risk mitigation strategies, you will discover that many mitigation strategies are implemented proactively. These include:
- Purchasing the appropriate insurances for your business
- Installing fire control systems
- Installing security systems
- Installing a generator or other back-up for electricity
- Backing up all data securely
- Holding stock or machinery and equipment parts in reserve
- Performing annual maintenance on machinery and equipment
- Mandating ongoing training
- Implement redundant training, in the case of loss of a key employee
- Perform independent audits of the business for compliance with financial, data, employment, environmental, and other legal compliance
Other risk mitigation strategies are implemented once the disaster strikes, and these will be created once you identify critical functions and systems, establish remediation procedures, and assign employees accordingly. This requires an effective communication plan with employees.
Train Employees to Follow the Business Continuity Plan
Periodic rehearsals in case of emergency will reveal any faults in your plan, so you have time to remediate them before an actual disaster occurs. Rehearse often and rehearse different scenarios to test both your plan and your employees’ training in implementing the plan.
Assess Your Business Continuity Plan Annually
Your business will evolve over time, and so must your business continuity plan. Meet with your BC Plan Committee at least once annually, if not every quarter, to both discuss whether new risks have arisen, and assess the results of your rehearsals and adjust training accordingly.
About the Author: Veronica Baxter is a legal assistant and blogger living and working in the great city of Philadelphia. She frequently works with Larry Pitt, a workers’ compensation lawyer in Philadelphia.