The Small And Medium Size Businesses Guide To A Successful Continuity Program
This
article is specifically written for any small to medium size business
that wants to implement a continuity plan (CP). The information that’s
provided within follows the same methodologies used by large corporations.
The only difference you’ll find is that the requirements are scaled
down, but not compromised. That is, the step-by-step process presented
here is realistic, achievable, affordable, workable, and one that meets
the practical needs of a smaller type business. Ready?
A Business By Any Other Name Is Still A Business
We’ll start with a simple premise, and your acceptance, that you are a business. It doesn’t matter if you previously labeled your entity as a company, business, department, agency, branch, district, firm, organization, hospital, office, institution, publisher, church, corporation, authority, or partnership. You’re a business. You may be part of the public or private sector, but you’re a business. It doesn’t matter if you consider yourself small, medium in size or large, that you produce or deliver materials, goods or services, or you are for profit or not for profit. You’re still a business, perform all of the functions any business performs, and you need to think like one.
A business starts with some form of business plan or mission statement. Staff is then brought in to produce or deliver materials, goods, or services. Human resources hires the staff that occupies a building you acquired and payroll addresses compensation. You require capital and have a budget. Purchasing acquires your furnishings, equipment, supplies, materials, and/or services. Accounting addresses payment of invoices and books revenue from sales. The business probably has information technology, and uses voice and data services. Legal assistance is sometimes required, you advertise, and insurance is most likely not an option. Almost without exception, taxes are paid. The business grows and expands, remains stagnant or stable, or ceases to exist. Finally, the business has risks and exposures from natural or man-made disasters.
So are small businesses really different from large ones? The answer is very much so, but not really. If you break it down, you will find that the only differences come in the complexity, number of functions performed, and the number of employees. Other than that, small businesses generally do the same things as large businesses; only they perform them on a much smaller scale. As an example, in a small business, the accounting department may be a staff of 1 or 2. In a large business, the accounting department may easily exceed a hundred. In a large company there may easily be 2 or more full time emergency planners that are certified. In a small company it may be an additional assignment given to someone that has no experience. The point is, the basic needs of both large and small businesses are the same; it’s just on a different scale.
A Realistic, Achievable, And Functional Continuity Program
Almost everyone reading this article is part of a small to medium size business that has interest in developing a disaster recovery or business recovery plan. However, as we progress, you’ll learn that both types of plans are really required. Furthermore, at this time you’re most likely thinking only about a written “plan”. It is my hope that I can expand your thinking beyond just having a plan. Hopefully, you’ll want to start thinking about a total “program”, one that also includes the plan you’re looking for.
A continuity program is a proactive methodology that provides a multi-faceted approach to your businesses emergency planning. The steps to achieving this type of ongoing program are outlined within this document. Each identified step follows what is considered “best practices”; however, the requirements are scaled down to meet the needs of the small to medium size business. The bottom line is to keep the process simple and straightforward so that you will implement and maintain a program. Furthermore, this must be accomplished without compromising the integrity of your program or business readiness.
Types Of Disasters And Degree Of Readiness
As a small or medium size business, you are exposed to the same potential disasters as any large business. You are just as much at risk as every other business is within your city, no more and no less.
Disasters fall within two categories:
· Local: This type of disaster generally impacts a narrow geographic area. Usually it is confined to a single building, or adjacent buildings. Quite often they are man-made, and could be: fire, explosion, terrorism, chemical spill, etc. With this type of disaster, you can expect outside assistance in responding to your emergency.
· Regional: This type of disaster affects a wide geographic area and is often attributed to a natural event. The causes could be: hurricane, flood, earthquake, tornado, etc. With this type of disaster, both the Red Cross and FEMA recommend that you be self sufficient for the first 72 hours following the event. Expect no outside assistance.
When you’re doing your continuity planning, you need to plan for a worst-case scenario. That is, a disaster occurs that prevents you from returning to your normal work location for a prolonged period of time, if ever. Therefore, you need to have a program in place that will enable you to respond to the event, recover your work environment, and resume your business activities. And you need to do this using only a written plan and information you’ve stored offsite.
In closing on this topic, logic holds that if you are ready for a worst-case disaster, you should be ready for a disaster of a lesser magnitude.
Continuity Program Best Practices
If you remember, a continuity program is a multi-faceted approach to preparing your business ahead of time. The steps that are suggested come after decades of experience. Each step offers something toward ensuring that your business is ready to respond to, recover from, and resume operations after a disaster. Each step is important, and if you simply implement only a few of the steps, you may leave your business far short of truly being ready for a disaster. Would you be better off with only a few steps in place? Probably, but that is not what you want, for in a real disaster, you want to be ready, not just better off.
If you’ve made it this far into the article, there is a good chance that you are truly interested in developing a continuity program. Furthermore, once the steps are outlined, and you fully understand the concepts and approach, there is a good chance you’ll complete the process. Finally, at the end of each step I’ve included some very rough estimates of what each step may cost to implement.
Step 1 – Obtain Management Commitment To A Continuity Program
The development of any continuity program will take hours of staff time to implement and certain financial resources. To obtain those resources, management needs to commit to the process. To obtain approval, there are numerous justifications that can be presented.
To start with, research any laws, regulations, or codes that pertain to your line of business (these often apply to health care providers, insurance, financial institutions, and government entities). Also, look at any contracts that you may have with your customers that require you to have an emergency type plan. If any exist, justification becomes relatively easy.
Additional reasons may be: audit requirements, reduce liability exposures to management, provide a competitive edge in future business, life, health and safety issues, avoid intangible loses such as customers, or having a process in place to save the business following a disaster.
Once you have identified the various reasons for implementing a continuity program, you need to assemble a document to present to management. Within that document, you will want to:
· Identify potential risks to the business
· Define what a continuity program is
· List the steps required for implementation
· Provide an implementation timeline
· Document the justification(s)
· Furnish estimated costs
· Conclude with a recommendation.
Schedule a meeting and present to management. Your objective is to obtain approval to proceed with the process.
Estimated Cost: About 4 – 6 hours to put together a recommendation
Step 2 – Identify Your Continuity Program Administrator
Though a continuity program is an entire business responsibility, one individual needs to assume ownership of the process. That individual will address the risk and business assessment, ensure that written plans are developed and maintained, arrange for offsite storage, identify alternate work locations, and train and test the process.
Estimated Cost: About 2 – 3 hours to put together a recommendation with documented duties
Step 3 – Perform Risk Assessment & Mitigation
We start with a philosophy that it is often easier, quicker, and less costly to prevent a disaster than to try to recover from one. However, in order to accomplish this, you first need to know what your risks and exposures are, and, if economically feasible, you can then eliminate them.
This is where risk assessment comes in. It is a “discovery” process that any business can undertake to identify potential threats. As a starting point, may I suggest that you address: your work area, building location, security, building support equipment, safety, etc. Walk around your building and property to look for situations that can potentially cause problems. Ask questions internally, and call in outside assistance if you are not certain. As you undertake the process, identify and list any and all noted risks or problems that could cause or contribute to a disaster event.
Though there is a formula to use, we’ll keep the process simple in identifying what you need to mitigate. Sequence the list of identified risks that you previously made, placing the risks with the highest odds of occurring and have the greatest potential for impact, on top of that list.
Starting at the top of the list, identify alternate solutions that will enable you to correct the risk. Obtain cost estimates to implement the solution and present to management for approval and subsequent implementation.
Estimated Cost: 2 hours to develop a strategy, 2-4 hours to do an assessment, 2-4 hours to research and document mitigation options, and 2-4 hours to obtain and document costs to correct potential risks. As far as the cost associated with the risk corrections, that is contingent on the risks you identify and recommend for correction.
Step 4 – Perform A Business Impact Assessment
In order to progress any further in the development of your continuity program, it is important that you understand your total business. First, all work groups within your business need to be identified. This is important, as you will be meeting with the managers of these groups a little later in this process.
Next, develop a questionnaire that you will use during
your upcoming meetings with the various work groups. As a starter, find
out in detail what functions the group performs. Understand the group’s
reliance on both internal and external information and data. What tools
and resources do they use? What are their critical systems? Where does
the information they produce go? Do you use critical hardcopy records
that are not replicated offsite somewhere else? What is the impact on
the business if they could not perform their business functions for a
day, three days, a week, or a month? Do they require special equipment
or tools? Do they have certain functions they perform that are more critical
than others? Who are their vendors? Add other questions that may be pertinent
to your specific business. Are there financial penalties associated with
missed deliveries?
Finally, schedule some time with each of the work group managers or supervisors
and walk through the questionnaire. When you have finished with all of
the work groups, retain this information for later use.
Cost Estimate: About 1 - 2 hours preparing questions and 1 hour x 2 staff members for each work group you meet with.
Step 5 – Identify Recovery And Resumption Strategies
Schedule a planning session with your management to discuss the business recovery objectives. Have available the information you collected in your impact assessment. During this session, you will want to address: alternate work locations, work group recovery priorities, recovery time lines, an emergency command center location to coordinate recovery, and information system recovery strategy.
The agreed upon recovery and resumption strategies will be used in the development of your written continuity plan.
Estimated Cost: About 4 – 8 hours depending on the number of staff members you want to include in the planning session.
Step 6 – Develop A Written Continuity Plan
So what is a Continuity Plan (CP)? At a high level, a CP is really three types of emergency plans that have been merged into a single and all-inclusive written document. It is a comprehensive written plan designed to address:
1. Emergency Response – Life, health, safety, evacuation,
floor wardens, emergency notification, exit routes, etc.
2. Disaster Recovery – Addresses recovery and resumption of your
information systems hardware, software, data, and network functions.
3. Business Recovery – Addresses recovery and resumption of your
primary business functions and the various support groups such as: accounting,
HR, payroll, etc.
Any CP will need to address five primary stages (a.k.a. phase, period) that take place from the time of the event to the time you relocate back to your permanent work location. Those stages are:
STAGE 1 – Response - Activity immediately following the event. Life, health, and safety actions are your primary concern. If possible, contain the source of the problem. Provide first aid, evacuate, phone emergency services, phone other team leaders, etc.
There is no recovery within this stage, but limited damage assessment, notifications, and management decisions are being made.
STAGE 2 – Recovery of work area and resources. When safe, or at another location, you must now start to restore your work environment. Until this has been completed, you cannot resume your business functions. The objective is to recover your work environment as close as possible to the way it was before the event occurred.
STAGE 3 – Resumption of business functions. At this
stage, and following your work area recovery, you are ready to resume
certain business functions. Depending on the situation, some or all of
the functions will resume operation in a systematic and prioritized fashion.
Also of note, if a function is resumed, it may be limited in scope for
a period of time.
STAGE 4 – Reconstruction of damaged facility. This stage documents
the steps that will need to be taken to clean up your damaged building
and/or reconstruct it if it was severely damaged. If the building was
destroyed, another permanent facility will need to be located.
STAGE 5 – Relocation back to your rebuilt facility.
Documents the process you will take
to move back.
For the smallest of businesses, those with less than 20 employees, the CP will be one document that addresses all five stages. However, for small businesses that have more than 20 employees, the concept of recovery teams will need to be used. That is, your CP will be made up and comprised of multiple recovery teams.
Recovery teams are a simple way to break your CP into manageable groupings of activities. Furthermore, the larger a business is, the more recovery teams you will utilize. An easy way to understand this concept is to provide some examples for you to reference.
A small business with about 20 to 40 staff members may
use 4 recovery teams:
· Emergency Response and Damage Assessment Team
· Crisis Management and Administration Team
· Information Systems and Voice And Data Team
· Core Business and Support Function Team
A small business which has expanded, to say 40 to maybe
80 employees, may use 8 recovery teams:
· Emergency Response Team
· Damage Assessment and Reconstruction Team
· Information Systems Team
· Corporate Support Team
· Core Business Team
· Voice & Data Team
· Administration Team
· Crisis Management Team
Finally, taking it another step further, a business of maybe 140 employees may use the previously mentioned 8 teams, but may add 3 additional Core Business Teams, and/or they may want to split the Information Systems Team into two different teams (one for hardware/systems and one for application software).
The point is that the bigger the business, the more recovery teams you will probably use. Each team will have a team leader and backup. The team leader is responsible for developing their team’s plan by identifying what tasks need to be performed within each stage. Finally, each team leader must document how to perform each task.
Once the team plans are completely developed, the continuity plan administrator needs to review each plan for accuracy and detail. The information gathered in the previously taken business impact assessment can be used as a reference and check point.
In closing, once all of the team plans have been developed, then and only then do you have a CP.
There are some very good software plan development tools available. It is suggested that you select a product that meets your needs as opposed to trying to develop it yourself. By utilizing software templates, your CP will be more comprehensive, it will utilize proven methodologies, the plan will be developed quicker, and it will probably cost less than if you did it yourself.
A comprehensive Word based software product that provides the required team plan templates and structure is all you’ll need. This type of software will work extremely well within any small or medium size business. Finally, in selecting the software ensure that an extensive introduction and guide that addresses continuity planning is provided.
Estimated Cost: Plan development software, less than $1,500. Also, about 4 – 12 hours to develop each team plan.
Step 7 – Offsite Storage Of Information & Data
If you ever want to recover your business following a disaster that destroys your facility, it is imperative that you have critical information stored offsite. This offsite storage of information must include both hard copy records and backups of your information systems. The information that needs storage should be identified during your impact assessment. Full volume backups of all of your systems should be performed at least weekly and rotated immediately offsite.
Note: If you have critical information, files, data, manuals, records, etc. that you use in your business, and the only copy is at your work location, you are at risk. Furthermore, that risk becomes a reality if a disaster occurs which destroys that information. If you do not have access to an offsite copy, or if you are unable to replicate it, it is gone forever.
Estimated Cost: Using a once a week pickup schedule and four storage containers, plan on about $200 to $400 monthly.
Step 8 – Recovery Location
The feasibility associated with the use of alternate work
locations needs to be addressed prior to a disaster. There are three areas
that need consideration:
1. Emergency Command Center: This is an alternate location that is generally
removed from your normal work location. The primary purpose is to have
a location where the management team and certain identified staff members
can meet to coordinate and direct the recovery efforts. It should be stocked
ahead of time with emergency supplies and items and include phones.
2. Work Area Recovery: This is an alternate location that is generally
removed from your normal work location. The primary purpose is to have
a location where various recovery teams can go to recover their work area
and resume their normal business functions.
3. Hot, Cold, or Mobile Site: This is an alternate information systems
recovery location that is generally removed from your normal work location.
It is a facility that has, or is ready to receive, computer hardware.
Estimated Cost: Depends on the recovery locations you decide you need and the resources that you want readily available for use.
Step 9 – Plan Validation, Training, And Plan Maintenance
Testing – Any CP should be tested and/or exercised once it has been developed. The objective is to find any errors in the plan strategy, tasks that do not provide accurate detail, or omissions in the plan. If found, the CP can be corrected and updated before a real disaster occurs. Plan validation can be made in one of two ways:
1. Schedule and perform an actual test. This process is frequently utilized to validate the Information Systems Team Plan(s). To conduct a test: schedule it, locate resources, recall backups from offsite storage, and then restore and bring up the processor following the detailed tasks contained within the team plan.
2. Schedule and perform a tabletop exercise. This process is frequently utilized to validate the strategy and logic of the CP as a whole. To conduct an exercise: schedule a meeting with all team leaders, develop a realistic but imaginary scenario to play out, and moderate the exercise walking through the scenario and changing events as you go. As the moderator, you will need to call on various team leaders as the scenario is played out. Each team leader will need to utilize his/her plan to explain how their team will respond.
Training – Training is an important part of the overall continuity program. You are encouraged to have your staff take first aid and CPR courses. An occasional “awareness” flyer delivered to the employees can remind them of the importance of emergency preparedness.
Plan Maintenance – Keeping your CP up-to-date and accurate is imperative if you expect it to be a viable document at time of need. Changes will need to be made as changes take place in your business (new server, new team leader, change in a business process, etc). Also, each team leader should make a semi-annual review of all team plans.
Estimated Cost: Testing – 24 hours
Exercise – 20 hours
Training – Varies according to target objectives
Plan Maintenance – 16 hours
Conclusion:
In closing, a continuity program is very much an achievable goal within any small to medium sized business. Each step that has been presented within this article is important, and each one takes your business closer to being prepared should a disaster occur. The process is truly straightforward and it all starts with your commitment to the process.
Norm Koehler, CBCP, CRP – Norm is a frequent lecturer
and has written numerous articles that have been published in the DRJ,
SC Magazine, and The Business Journal. In 1996 Norm founded BRProactive,
Inc. www.brproactive.com
Copyright
(c) 2002 Systems Support Inc.. All rights reserved. Reproduction in whole
or in part in any form or medium without the express written permission
of System Support Inc. is prohibited.