Blog Compliance Three branches of business continuity June 2, 2023 Oro Bad things happen. It may be difficult to anticipate all the possible scenarios that could disrupt your business, but we have witnessed a few examples in recent years: a global pandemic and a war in Eastern Europe, natural disasters like fires or flooding, and supply chain challenges. But challenges to your business continuity may also be close to home: Bad press, the tragic passing of a leader, or a security breach. For these and many more scenarios, macro and micro, business continuity planning is an essential task for creating organizational resilience. And an organization’s ability to maintain essential functions during a crisis can set you apart. Business continuity planning is best undertaken when you’re not in the midst of a critical event. Rather, it’s a set of actions and protocols a business puts in place for when such events might occur. Business continuity management (BCM) and business continuity and disaster recovery (BCDR) are just two acronyms you may encounter. In this blog post, we’ll break business continuity into three key components or three branches and walk you through examples of each: Emergency response Crisis management Disaster recovery Branch 1: Emergency response This branch of business continuity focuses on the immediate response to a crisis or emergency situation. Think of it as a “to-do plan” if there’s a natural disaster, cyber-attack, or any other unexpected event that can disrupt business operations. The primary objective of an emergency or disaster response plan is to ensure the safety of employees and minimize damage to your business property, information, and infrastructure. Example 1: A fire breaks out—what do you do? Let’s say that an unexpected fire breaks out in an office building. The emergency response helps us prioritize the immediate actions that must be taken, such as: Evacuating employees, notifying emergency services, and minimizing damage to property, physical assets, and infrastructure. In the case of a fire, there are certain things you’re expected to have in place in any business location: These include fire safety protocols, safety training, and having designated emergency exits and evacuation routes in place per the National Fire Protection Association. Example 2: A pandemic erupts—what do you do? During a pandemic, the Emergency Response Management branch of business continuity would focus on immediate response to the crisis. This could include immediately sending employees home, providing personal protective equipment (PPE), and implementing lockdowns or quarantines to limit the spread of the disease or conflict. The objective is to ensure the safety of individuals and minimize the impact on infrastructure and critical systems. Branch 2: Crisis management Once you’ve come to grips with the emergency at hand, you can begin to manage the situation. You’re not out of crisis mode yet, but you’ve stabilized things enough that you can move from reactiveness to active management. Crisis management deals with the restoration of critical business functions after an interruption, including the recovery of data, systems, and operations. The objective is to ensure that business operations can be resumed as quickly as possible and minimize the impact of the disruption. Example 1: The fire has been extinguished—how to keep going? After the fire has been extinguished, the Business Recovery Planning branch of business continuity would focus on restoring critical business functions. This could include recovering data from damaged computers, repairing damaged infrastructure, and ensuring that employees have access to the necessary resources to keep working. For example, your organization might have backup systems in place to restore data and operations, and they may have a recovery team to manage the process. Example 2: Your people are safe at home—how to run the business while there’s a pandemic? After the initial emergency response, the Business Recovery Planning branch of business continuity would focus on restoring critical functions. For example, during a pandemic, businesses might shift to remote work or implement social distancing measures to keep operations running. As we saw during the COVID pandemic, your IT team may review your systems so that remote meetings can be facilitated, for example. Governments may also implement stimulus packages to support businesses and individuals affected by the crisis. Branch 3: Disaster recovery and future preparedness With the crisis now under control, you can start to rebuild. Whether you’re rebuilding infrastructure, recruiting new team members, or regaining customers’ trust, this stage is about getting your business back to where it was. But you shouldn’t forget the experience and lessons you learned. This branch also focuses on the proactive measures that organizations can take to mitigate the impact of another potential disaster or crisis (fingers crossed, no time soon!) Disaster recovery planning includes risk assessment and risk management, developing contingency plans, and establishing procedures and protocols for responding to emergencies. The objective is to reduce the likelihood and severity of a disruption to business operations again. A Business Impact Analysis (BIA) is a key step in recovery A Business Impact Analysis (BIA) is a critical component of disaster recovery. The purpose of a BIA is to identify and prioritize critical business functions and processes, and determine the potential impact of disruptions to those functions. By performing a BIA, organizations can identify which functions and processes are most critical to their operations and prioritize recovery efforts accordingly. The BIA provides the foundation for developing recovery strategies that address specific impacts on critical business processes and functions, such as loss of revenue, damage to reputation, regulatory non-compliance, and customer service disruptions. Continued reading Everything you need to know about Business Impact Analysis What you need to know about Business Impact Analysis icon-arrow-long In essence, the BIA helps to inform the development of a business recovery plan that outlines the steps necessary to recover critical business functions in the event of a disruption. This plan can include strategies for alternative work arrangements, backup systems, data recovery, and other measures aimed at minimizing the impact of a disruption on the organization. Example 1: Recovering from the fire and lessons learned The Disaster Preparedness Planning branch of business continuity would focus on proactive measures to mitigate the impact of potential disasters. Your organization might conduct risk assessments and develop contingency plans for a broader set of natural disasters, such as hurricanes, floods, or earthquakes. You may also establish protocols for communicating with employees, suppliers, and customers in the event of an emergency, and regularly train employees on emergency response procedures. Additionally, the organization may invest in backup systems and redundancies to minimize the likelihood and impact of a disaster. Example 2: Pandemic recovery—it will be better if there’s a next time As the more pressing events of the pandemic subside and things normalize, businesses can focus on making a full recovery from the disaster that occurred. This may involve readjusting a remote work policy or redesigning elements of the office to make people comfortable to return to work. The Disaster Preparedness Planning branch of business continuity would also focus on proactive measures to mitigate the impact of a potential future crisis. For example, your business may also invest in emergency stockpiles of medical supplies, develop contingency plans for remote work, and establish communication protocols for quickly disseminating critical information. Common areas for improvement in business continuity management Business continuity is not a “set it and forget it” protocol. You should revisit the business continuity planning process regularly and update roles and responsibilities as necessary. As new threats emerge, from climate change to cyber-attacks, you may find your planning quickly becomes outdated. Immediately after you’ve recovered from a disaster is a good time to reflect on any gaps that arose in your business continuity plan. Working with experts, like the team at Thoropass, can help you build the foundations for a resilient business that stands the test of time. Common gaps in business continuity plans include: Failing to do any business continuity planning We get it: Everybody’s busy with their day-to-day and business continuity planning can seem a little like saving for a rainy day or making a will. Nice to have? Definitely. The most pressing thing to do today? Not necessarily. Hesitancy to undertake this work can also stem from a lack of understanding of potential threats. It may feel overwhelming to imagine all the possible things that can occur. It can seem a little too much like doomsday prophesizing. But in these volatile times, when disaster strikes in many forms, and anything from a simple human error to a major disaster can threaten your business, a business continuity strategy should be considered an operational must-have. Building robust documentation Where possible, there should be documentation outlining the steps to be taken. This is not a time to rely on memory (even the coolest heads can go blank in a disaster). Think of this like the “in case of emergency” cheat sheet located in the pocket of your airplane seat. Documentation can cover physical actions like evacuating the premises, contact information emergency services, and activating the emergency response team should be well documented and communicated across the organization. At the individual employee level, this might ensure in case of emergency contacts are updated in your HR systems Having clear communication protocols Who is responsible for calling whom? Who on your team drafts and who approves messages to be put on the company website or social media? And then there’s the order in which information is cascaded: Should your entire organization and shareholders receive the news before clients? Should the media be made aware before it’s shared with the general public? Again, it may not be possible to outline all the potential scenarios and their idiosyncratic communications protocols, but having a point person to guide actions is clear. Sometimes, in a panic, employees jump to action. They want to help fix things. But as the saying goes, “if the right hand doesn’t know what the left hand is doing, chaos can ensue.” You can wind up with confusion, mixed messages, and more messes to be cleaned up. Even if you run a scrappy business where everybody chips in, this is a time for clear, consistent top-down messaging disseminated appropriately across channels. The communication protocols outline how information will be disseminated, who will be responsible for communicating, and what channels will be used during the event of a shutdown. Building sufficient data backup and recovery capabilities Companies may not have effective backup systems or recovery capabilities in place, leaving them vulnerable to data loss, extended downtime, and other consequences of a disruption. This especially applies in the case of cyber-attacks when critical information can be lost or customer data can be compromised. Considering alternate site arrangements Your business should have pre-planned locations or facilities where critical business operations can be shifted as a result of disruption. This may be as simple as a remote work policy for employees. But it can also expand to include backup data centers, coworking facilities, or cloud-based infrastructure. Understanding your recovery time objective The recovery time objective is the amount of time or “real” time a critical service can go down before the business begins to experience the adverse effects associated with the disruption. Knowing this gives you a “clock” to work against. If, for example, you run an e-Commerce business, you might have delivery standards you must adhere to (e.g., “all orders ship in 24 hours”), and failing to make those timelines could result in canceled orders and a loss of revenue. Demonstrating committed executive support Business continuity and disaster recovery (BCDR) planning requires ongoing investment and commitment from your senior leadership team. Without support and funding from the top, organizations may struggle to prioritize planning and execution efforts. While this work is often delegated to a combination of IT, Comms, and HR leaders, it is important that there is coordination between teams and that the plans are unified. Remember how confusing it can be when disaster strikes. Having clear plans, roles, and responsibilities will not only eliminate stress but also help people feel a sense of purpose and stability in the midst of crisis. Your business continuity plan: practice makes perfect Again, don’t set it and forget it! Regular testing is crucial for an effective business continuity plan. Simply identifying potential system failures and assessing their impact won’t suffice unless you put your framework to the test. Think of this like running annual fire drills. Simulating a crisis enables you to identify mission-critical systems, recovery time, and key decision-makers, as well as lapses in judgment and communication. Testing various failure scenarios (whether digital or physical) is vital to understanding your plan’s strengths and weaknesses and determining how to bolster it. Testing must also adapt to new threats; keeping abreast of industry-specific cyberattack trends can help you create an ironclad strategy for protecting your mission-critical systems. Reviewing and testing service-level agreements regularly is also necessary to build resilient systems. Business continuity can go very deep. If you’re just getting started, identify the most pressing vulnerabilities and move with purpose through the exercise. This is less a one-off exercise and more a healthy habit, so you’ll continue to improve all three branches as you go! Get the Guide Founder’s Guide to Security and Compliance Take security one step further, find out which frameworks are best for your business. Get the Guide icon-arrow Share this post with your network: Facebook Twitter LinkedIn