Stay Profitable By Telling the World About Your Business Continuity Plans
- Published on Monday, 19 November 2007 23:51
In addition to your customers, how you plan to protect your operation is of vital interest to your insurance company. They too are betting millions you will recover quickly after a crisis. Your investors want to know how you’ve protected their investments and your auditors are looking for compliance with corporate governance standards.
Each “audience” is essentially looking for the same thing; to understand your operations, to see your commitment to protecting your assets, and to know you have a plan for prompt restoration after a calamity.
Companies have long been effective in educating their executives with regard to their continuity plans, typically through internal presentations from the BCP group to upper management. These same educational materials, properly presented, can become a powerful tool in separating you from your competitors.
But isn’t our continuity plan confidential?
Absolutely. That’s why a high-level summary with enough detail to describe the highlights of your program, is invaluable.
What should a good summary include? Your summary should offer a brief outline of how you’ve addressed each of the business continuity subject matters:
- Corporate support
- Emergency response
- Vulnerability assessment and mitigation techniques
- Business impact analysis
- Recovery strategies
- Training and awareness
- Maintenance and exercise
- Crisis management
- Coordination with public authorities
Although your emphasis should be on how you’ve mitigated your risks and your recovery strategies (this is where the rubber meets the road as far as your customers and insurance carriers are concerned), each subject has key elements that should be included in an effective summary.
Corporate support: How does executive management support and participate? Highlight how your organization has a culture that supports continuity, how your corporate commitment stems from a commitment to client satisfaction and that your continuity plans are designed to minimize the impact to your customers. Discuss the investment you’ve made in physical protection, recovery planning and training and awareness.
Implementation: Describe your programs implementation process and the organization of your BCP group, the management, staff and budget. If BCP is the responsibility of employees outside the BCP group, even better. This allows you to describe what policies support this culture, how employee commitment is measured in their performance appraisals, and how BCP is integrated into the procurement process.
Vulnerabilities and mitigation: After introducing the culture and structure, it’s a good idea to detail the physical protection that helps prevent losses in the first place. Mention how you’ve assessed your vulnerabilities and describe your fire protection, physical security, building and equipment maintenance. Highlight construction features that are designed for specific hazards such as earthquake.
Emergency response, training and awareness, crisis management and communications: Briefly describe these programs. Who participates in these programs and how are they kept up to date?
Business interruption analysis: This was a critical step in your continuity planning. Describe this process. Which departments participated? Did it include facilities, equipment and suppliers? Describe how you’ve prioritized your functions into critical and non-critical groups. Was there a process for validating recovery time objectives?
Maintenance and exercise: Describe the process for maintaining and exercising your program and how you’ve coordinated with public authorities. Describe some of the analysis. What did you learn during the testing of your programs and how you were able to improve them? What is your strategy for updating the plan?
Focus on the Recovery Strategies
The recovery strategies are likely to be the most interesting to your reader so don’t skimp on the effort you put into this part of your summary.
There are several elements that a savvy reader will look for in your recovery plan, such as facilities, equipment, inventory and computer data. If an item really doesn’t impact your recovery, then consider describing why it doesn’t. Your reader will see this as “one less thing to worry about” during a recovery.
Remember, however, to err on this side of caution and “if in doubt, leave it out.” It will be easier to answer follow-up questions later than to retract something that should not have been included. Here are examples of what to describe for each strategy:
- Highlight protection features like sprinklers, earthquake upgrades, and fire prevention and emergency plans.
- Discuss your building specifications, alternate sites and your perception of the buildings available in your area.
- Explain how you might address some special considerations for your facilities sucha as high-bay areas, clean environments, or unusual power demands.
Manufacturing and Test Equipment
- Describe how you’ve reduced downtime through preventive maintenance and spare parts.
- Describe excess capacity that could be used in an emergency.
- Assess whether your equipment is generally off-the-shelf versus being custom-built.
- Highlight if you’ve crafted work-arounds for some operations.
- Mention alternate sources for the equipment. For example, if your R&D group uses much of the same equipment, or if outside vendors might be able to perform some part of the process.
Raw Materials Inventory
- Describe your general approach for raw materials inventory. Are materials kept off-site? Are these received in small batches every week or less frequently but in larger batches? If received in batches are they all kept together or is the stockpile divided into safe locations?
- Highlight the physical protection, such as sprinklers and security.
- Describe if raw material stocks are segregated from hazards.
- If you keep buffer stocks of certain materials, describe how these are protected and segregated.
Finished Goods Inventory
- Described how these are managed and protected.
- Explain your policy for getting finished goods out the door.
- If yours is a batch process requiring stockpiles, explain how these are segregated and protected.
- Describe physical protection of your systems like building construction, fire protection and natural hazards.
- Offer some insight about your business impact analysis including how the systems were evaluated, what types of priorities were used and how often it is revisited.
- Outline your recovery strategy (hot-site, cold-site and in house systems.)
- Provide some of the highlights as to how your facility, systems, network, applications and data would be recovered.
- Explain the frequency of backups for applications and data.
- Describe testing and maintenance of the DRP.
Infrastructure and Utilities
- Describe preventive maintenance and redundancies.
- Describe how you’ve identified and protected critical utilities.
- Mention alternate sources.
- Describe arrangements you may have with vendors for rental equipment.
- Describe how you will protect your key personnel through evacuation planning and drills.
- Discuss strategies for transportation to recovery sites.
- Describe abilities for workplace recovery plans and working at home.
- Describe how you may have reduced dependencies on sole-sources.
- Outline how you evaluate your vendor’s facilities and their BCP’s.
- Describe other stop-gaps you have in place, such as safety stocks of critical sole-source supplies.
- Describe the BCP of your key vendors, and how you could make use of alternative transportation modes (land, air, water)
- Outline how you’ve identified vital records (such as engineering drawings and contracts), how they are being preserved and how you would access them in an emergency.
Use the right level of detail to lend credence to your summary. Inadequate detail could lead your reader to question whether or not they can give your plan much credit. Too much detail could scare your reader into believing the operations are too complex to understand and manage.
Although it’s not strictly related to BCP, you should briefly describe your operations, products, services and facilities. Your company probably already has something suitable within its sales literature, internet homepage, or SEC filings.
If you can, provide success stories about how your BCP was effective in an actual event. It will be particularly poignant if your examples include something we’ve all experienced, such as a regional power outage, a hurricane or a winter storm. Describe your approach to continuous improvement and how you’ve incorporated lessons learned. Understand the varied audience, and avoid industry jargon. Be factual and complete. Make it evident why you believe your programs are robust.
Putting business continuity to work for your business before a disaster strikes includes tooting your horn about how you’ve built a reliable and resilient program. As planners, we’re the best equipped to describe our company’s good programs. We also have the most to gain by showing that continuity planning can pay dividends when our customers and partners understand the quality of the programs we’ve worked so hard to build.
Chris Scheffler is a business continuity planner in California’s San Francisco Bay Area. He has 15 years experience evaluating the threats facing business of today and helping clients stay profitable through planning and mitigation. With an insurance background, he understands what “outsiders” look for when determining how much credit to give a company’s business continuity plans. He can be reached at (925) 726-9622.