7 Commandments of a bullet-proof Business Continuity Plan

You want your business to run tediously smoothly. To be boringly uneventful. ‘Business as Usual’ (BAU) is your goal.

There are three fundamental elements that make up your business and that should all be available and working together in depressingly cadent synchronicity: people, offices and systems.

The ability to keep running as a business after any event that disables or inhibits any of these fundamental elements – that stops BAU – is Business Continuity (BC).

To maintain the cringe-worthily efficient running of your business at all times, you need to carefully define how your business is going to react in the face of events that could disrupt your people, your offices, or your systems: a Business Continuity plan.

This plan should be a living document that is well constructed, understood, and regularly tested. To make sure you have all the bases covered, here are our seven commandments for a bullet-proof BC plan:

  1. Define your protection elements
  2. What can your business not function without?

    Whatever answer you come up with, these are your protection elements. These direct the focus of your plan and give it purpose.
    These are the elements that you must have an alternative for, or solution to, should something go awry.

  3. Review your protection levels
  4. This is the level of performance you need to restore your protection element to when it fails, in order to maintain Business Continuity.
    Say, for example, your protection element is your main office, which is out of action due to flooding. To get your people in the right shape, will you need an entire alternative office prepared, or just remote working capability so everyone can work from home?

    To keep your systems going, will you just need a cloud backup through which you can manually restore key files and databases, or an instant failover to a full replication of your entire on-premises IT estate?

  5. Identify your protection requirements
  6. You need to define the precise nature of whatever business continuity tactics you will invoke around your people, offices and systems in order to protect your elements to the required level.
    Let’s continue with the main office example. Say you need a secondary office location. Within what geographic region would it have to be located? Will it need to accommodate all your staff, or only the most vital? Which internal IT systems will those select few need access to? Has a contingency plan been drafted that ensures that phones and computers will be available there?

  7. Failure scenarios and actions
  8. To help determine your protection requirements, you need to determine what would constitute a failure for any given element.
    Any given failure should be outlined in a ‘failure scenario’ and a series of remedial actions outlined. To go back to the office example, anything that renders the building unusable – a fire or flood, for example – would count. In this failure scenario a series of actions needs to be outlined that can be invoked in order to reach the required level of protection: e.g. having an accessible and fully-resourced secondary office. These actions could be as basic as calling the office landlord and letting them known you are invoking your Business Continuity plan.

  9. Role and responsibilities
  10. When planning the actions for each failure scenario, it is crucial to not only identify the actionable steps to be taken, but also the roles and responsibilities of the individuals who will take those steps. In this example this could include the following:

  • Facilities Manager: informs the landlord that you will be invoking your alternative office site
  • IT: transport phones and laptops for the staff in the new location
  • HR: coordinate communications within the company to ensure that regular staff are aware of what is going on and can resume work as quickly as possible
  1. Rollback
  2. In the event of a failure scenario, the ideal situation is to return business operations as close to BAU as possible. However, the need to return as quickly as possible to a minimum level of operation – rather than waiting longer to return to full functionality – is a powerful consideration.
    Generally, the BC operating model is scaled down to be able to deliver service at a reduced capacity in order to maintain a business presence. This is typically more cost effective than maintaining a complete replica of the primary operating model on standby and failing over to it in the event of a failure scenario.

  3. Testing
  4. This is the most critical element of any Business Continuity plan. You have to demonstrate your plan to be understandable, relevant, effective and trusted. BC plans are commonly tested bi-annually, with each test featuring a prolonged period of running in a BC state.
    One step further is the concept of ‘Active/Active’, whereby the BC protection requirements are actually actively used as part of BAU, with the primary operating model simultaneously at 50% capacity.

    Using the main office location example, the BC centre may actually be a satellite office that has sufficient capacity to take on a subset of key personnel from the main office in the event of a failure scenario.

---

Don’t let your office get too exciting. But when external circumstances force your hand, make sure your plan is ready!