Blog Compliance Business Continuity Planning for crises like COVID-19 February 9, 2021 Oro Was your business ready for COVID-19? With unstable markets, frozen sales pipelines, and a new, fully remote workforce, COVID-19 is waking executives up to the importance of business continuity. Before the pandemic, many startups never had to operate during a crisis. To them, business continuity was an afterthought, if a thought at all. And even more-established companies are realizing they’re not prepared. Sixty-one percent of the 500 U.S. companies polled by AvidXchange said they had business continuity plans in place, yet only 37% possessed the technology needed to make their entire workforce remote. Others didn’t foresee a situation like this or didn’t take it seriously enough to prepare for it. Whatever your situation, it’s not too late to strengthen your business against pandemics and other unexpected events with business continuity. What Is Business Continuity Planning? Business continuity planning is the process of identifying and preparing for company-ending events. It prompts you to define what your company would need to continue operating during a crisis, be it a pandemic, natural disaster, cyberattack, or power outage—anything that would significantly disrupt your day-to-day operations. Business continuity also establishes an actionable plan that allows you to quickly and effectively respond to incidents and limit your losses, whether they’re financial, regulatory, or reputation-based. In short, business continuity keeps your business running during a crisis or, at least, sets it up for a quick recovery. In addition to an actionable plan, business continuity includes risk assessment, business impact analysis, and testing. It’s tailored to your company’s specific needs and make-up, detailing different action items depending on the business it’s meant to protect. Take business continuity planning for a pandemic situation, for example. Operations at some companies haven’t skipped a beat during COVID-19. This is particularly true for smaller, product-focused teams that already have a remote culture and already rely on the cloud for their technology and documentation. They might feel the impact on sales, but that’s about it. Unfortunately, the story is different for a more established startup with 75 employees and a physical customer support location. This company’s business continuity plan would have to address many more risks and impacts. Is Business Continuity the same as Disaster Recovery? Business continuity isn’t the same as disaster recovery, but they each serve a similar purpose and goal. Business continuity prepares for incidents before they happen. This proactive approach helps businesses respond quickly to events, lessening their impact. Its goal is to keep businesses operating throughout a crisis, and it does this by focusing on risk management for the organization as a whole. Think of disaster recovery as part of your business continuity planning, sometimes referred to as a Business Continuity and Disaster Recovery (BCDR) plan. Disaster recovery focuses more on how to respond during technology-focused events. Like business continuity, disaster recovery aims to optimize the team’s response time, minimizing the impact of interruptions, outages, or information security threats. While important, technology is only part of an entire organization. This makes disaster recovery a critical component of good business continuity planning, but not effective as a standalone safeguard. Business Continuity Is a C-Suite Problem, Not a Technology Problem When founders think of business continuity planning, they tend to focus on product availability and the information technology backing it. And in doing so, they mistakenly relegate business continuity to a CTO or lead engineers. But business continuity also considers lost revenue, increased costs, staffing, facilities, equipment, processes, and systems. In short, business continuity is risk management for the business as a whole. Each person or team in your company is going to think their application or responsibility is critical to the business. Yet, only the C-suite can look at all of the elements that make up their business, like investor relationships, key roles and skills, and financial health, to define what’s truly mission-critical. The C-suite is also better positioned to identify all the risks that could jeopardize those critical elements. Start Simple and Keep Adapting Your Plan Begin your business continuity conversation at the C-suite level, and keep it simple. Identify the risks you need to protect against (like market downturns, data breaches, and loss of essential skills). From there, enlist the help of others in the organization for effective ways to manage those risks. Similar to stage-appropriate compliance, it’s better to tackle business continuity early and continue to hone in on risks and responses as you hire new people, open or acquire a new business, or make major changes to your operations. Your business continuity plan will evolve with you and your team, addressing different concerns pre-seed than past series A. As your company and risks grow, you can assign a risk management team to periodically review, update, and test your business continuity plan. It’s also wise to involve experts like Laika that have firsthand experience helping businesses plan for and recover from disastrous events. They’re better at identifying risks that people tend to overlook and walking executives through the complicated process. How to Get Started with Business Continuity Business continuity doesn’t begin and end with creating a plan of action. It also means assessing your risks, understanding their impact on your business, and validating and testing your responses. Conduct a Risk Assessment As part of your risk assessment, you’ll identify the critical elements within the following areas: People Minimum staffing levels Required skills/expertise Stakeholders/decision-makers Processes and systems Critical periods: When does your product or service make the most impact on users? For example, a critical period for accounting software would be during the tax season. Internal communication: How do you expect your staff to stay in touch if they have to work remotely during a crisis like COVID-19? External communication: How do you plan to update customers in the event of a breach? What will you say, and how will you get approval from legal? Vendor management Vital documentation Facilities and equipment Physical offices and alternative sites Data centers Company-owned laptops, other equipment Tools Providers Vendors Suppliers Contractors Regulatory/legal requirements Required controls Breach notification rules Be picky about what you define as “critical.” While most business elements are important, only certain ones can ruin a company if interrupted. Focus on the things that you need to meet customer or regulatory requirements or to run your entire business or multiple core operations. Think catastrophic failure vs. a loss of efficiency. Once you know the items you need to protect, it’s time to identify the factors that could cause you to lose one or all of those critical elements. If your team is distributed, think about threats to where they live and work. Do they live in regions that could be impacted by political instability or natural disasters? Say your company handles health or financial information and needs to comply with federal or state regulations. What happens if you’re suddenly non-compliant? What if an important supplier goes out of business or an essential person on your team leaves your company? Not all of the potential threats are obvious. A pandemic like COVID-19 may feel inevitable now, but was it really on your radar a year ago? Analyze the Impact on Your Business The next step in your business continuity planning is understanding exactly what the impact would be if any of your critical elements failed. This business impact analysis quantifies the potential pain as much as possible in terms of: Financial impact, like the amount of revenue lost over a certain period of time Staffing impact, like increases in overtime expenses Regulatory impact, like how much you’d have to pay in regulatory fines Reputation impacts, like the cost of losing customers or the cost of responding to negative backlash It also considers what the impact looks like if your critical elements go down for a day, a week, or longer. Robinhood went down on March 9th, 2020 amid a drastic stock market drop. The app was down for days and they are now being scrutinized in a class-action lawsuit. With the right planning and testing, Robinhood should have been able to predict this weakness and plan to mitigate it. When you’re not brick-and-mortar, but offering a digital product, your customers expect that your product is agile, flexible, and highly accessible. Build a Business Continuity Plan Now that you’ve identified your critical elements, the risks that can take them out, and what would happen if they did, it’s time to make a plan to minimize the impact if the worst happens. Your business continuity plan outlines your response in a crisis. It tells you when to execute the plan, how to execute it (in specific, detailed, actionable steps), and who’s responsible for different elements of the plan. Environmental-related Crises COVID-19 forced many employees to work from home. The businesses with continuity plans were better able to adapt to the new work environment. This is because they already had procedures in place for distributing equipment (like company laptops), subscriptions and documentation for tools (like Slack and Zoom), and guidelines for office hours and remote communication. System-related Crises Business continuity plans should also prepare companies for system-related crises. Say your company runs a critical operation on a certain platform, and that platform experiences an outage; similar to the crisis many tech companies experienced with Slack early in 2021. A business continuity plan should outline a contingency plan to make sure your team can communicate and continue business operations even if that platform is unavailable. Exactly what that solution looks like depends on your company’s unique circumstances. Do you give copies of the key to multiple people? Install keyless access? Who do you want to be able to unlock that facility? Where do you store the access code, and how do you protect it? A business continuity plan documents the answers to those questions and more. People-Related Crises What if only one of your people knows how to complete a critical task? Your business continuity plan minimizes the impact on your company if that person ever leaves. It stipulates whether you have that person document what they know or train others to share that critical responsibility. It also defines where that documentation lives, who has access, how and how often it gets updated, who gets trained, and all the other details that go into securing that critical function. Continue to Test and Validate Your Plan Once you’ve mapped out your business continuity plan, you need to make sure your team knows what to do during an event by regularly testing their response. Team Drills You can do this with tabletop exercises and group discussions. These activities give you opportunities to talk through everyone’s responsibilities during a crisis. They’re also useful for identifying potential gaps in your planning. Team drills provide a better understanding of what parts of your business continuity plan look like in action. These exercises test your team by running them through a scenario and analyzing their response based on defined goals like speed, completion, and effectiveness. Simulations Say you wanted to test the part of your business continuity plan that accounts for all of your mission-critical systems during a crisis. You will need to understand how to create back-ups for a marketing automation system to resolve cutting off marketing communications. Maybe you’ll need to have a secondary messaging platform in the case Slack is down or a way to allow your customers to access your own platform if there is an issue with logging in. Test each of these solutions so your employees understand how to keep the business running if needed. Similar to team drills, simulations put your entire business and business continuity plan to the test. With a simulation, you rally your company, vendors, and partners around a realistic disaster event, testing each part of your business continuity plan. This not only tells you where your business needs help implementing the plan but also where your plan might need some adjustment. Testing isn’t a one-and-done affair. To keep your business continuity plan useful as your company evolves, establish a regular testing schedule. Doing so keeps business continuity top-of-mind and a priority for your team. It also validates any changes you might make to your plan along the way. We recommend reviewing and testing your subject-line agreements (SLAs) to solidify your back-up plans. For example, examine your cloud provider; if your region of AWS went down, are you in a redundant sector to keep the lights on? If you leverage Stripe, how would you process payments if it experienced an outage? As it related to critical parties, how would you disperse staff to continue working if you couldn’t get into a physical office? All these fail-safes should be tested regularly to ensure staff can continue operations. Business Continuity Is a Long-Term Strategy As COVID-19 has shown us, business continuity can be life or death for businesses. However, it’s easy to forget that fact when stores begin to reopen and people start emerging from their homes. We tend to focus on what we think is most important at the moment. Instead of allowing urgency to dictate your actions, use COVID-19 as motivation to start sowing the seeds of business continuity. Start talking about risk and impact at the C-suite level. Then engage an expert like Laika to hone in on your business’ most critical elements and the threats that can take them out. Together, we can create a fully custom roadmap that starts protecting your operations now and makes business continuity a priority over time. That way, you know your business will be ready to survive the next catastrophe. Share this post with your network: Facebook Twitter LinkedIn