We've come full circle. Or, perhaps more accurately, the circle has expanded. Many decades ago, business continuity planning focused mainly on the sudden loss of a business owner and perhaps what the company might do if its offices burned to the ground. Then, technology took over — and planning began to concentrate on how to preserve mission-critical data and reboot networks as quickly as possible.
Today's businesses need to do it all. Technology is so nimble and dynamic that focusing entirely on it may leave your physical assets vulnerable to disaster. Yet you can't completely ignore IT risks either. A truly contemporary business continuity plan must take a 360-degree approach to staying operational.
Begin with the team you have in place to react coherently to a continuity threat. As the business owner, you must be its champion. In tough times, everyone looks to leadership.
But this doesn't mean you should go it alone. Every company, no matter the size, needs a business continuity team. And each person on that team must know his or her job. Often, these responsibilities can fall right in line with job duties. For example:
The precise size and shape of a business continuity team will vary depending on the size and shape of the company itself.
Disaster doesn't always strike the business itself: sometimes it hits your supply chain. This is a common concern of business owners and risk managers worldwide.
Try to diversify your supply chain so you're not dependent on one or two vendors. This way, you may be able to shift supply orders to another provider in the event one of the others is disabled by disaster.
If that's not feasible, at least create a list of backup vendors complete with company profiles and contact information. Be sure to regularly revisit and update this list. The last thing you want is to turn to an alternate supplier in a crisis and find that it no longer exists.
From a financial perspective, your business continuity plan needs to answer several key questions, including:
What is our immediate and short-term financial status? First and foremost, assess your cash position. Are you burning dollars at an untenable rate? One of the many reasons to maintain a strong cash flow is that you'll be in a much better position to weather a storm, literally or figuratively.
Where are our records? Maintain a clear path to backups of key records such as your financial statements, bank records, vendor agreements and employment contracts. Your CPA and attorney may be able to store copies of some of this important information.
Are we covered? No rational discussion of business continuity planning can take place without at least mentioning insurance. It's not enough to have the right coverage in place; you've got to be able to quickly determine what each policy covers, who your rep is and how to file a claim. At least one member of your team should stand ready to make these determinations.
The technological aspects of business continuity planning used to be somewhat more complicated. When businesses relied on tapes or other tactile media to back up data, getting to those backups could be a problem when several feet of water or a pile of smoldering rubble stood in the way.
These days, many (if not most) companies use the Internet — or "the cloud" as it's come to be called — to not only store data, but also to download or host applications. In the event of a physical disaster, the cloud likely has you covered. If it doesn't, your business continuity plan should address off-site backups of data storage media.
Either way, your plan also needs to articulate procedures for replacing hardware, restoring communications (such as e-mail servers and phone lines), and keeping your company website and intranet (if you have one) up and running with salient information.
Last but not least, in today's increasingly virtual world, every company's business continuity plan needs to confront the specter of hackers. If your servers are breached, a clearly planned response is paramount. (For more on this, see the sidebar "4 steps to responding to a server breach.")
There's no quicker way to go out of business than to stop doing business because of an unexpected crisis. Every company needs a good continuity plan — regularly revisited, revised and rehearsed.
The list of well-known organizations that have been hacked gets longer every year. One could say that it's not a matter of "if" but "when" any business might awake to the nightmare of a server breach. If it happens to you, here are four steps to responding:
1. Execute your incident response plan. Contained within your business continuity plan (see main article) should be a separate incident response plan specifically for a data breach. It should include specific instructions to ownership, managers and IT staff on implementing emergency security procedures and determining the severity of the breach.
2. Call in trusted advisors. Many companies find it difficult to maintain objectivity and even rationality following an intrusion of this nature. Before making any public moves, meet with parties such as your attorney, financial advisor, a technology consultant and even a public relations expert.
3. Seal off the breach then issue a statement. Waiting too long to disclose a breach to customers or vendors could hurt your reputation. But, ideally, you want to determine the cause of the problem and solve it before saying anything publicly.
4. Reinvest in security measures. If you get hit once, someone is on to you. Although you'll still need to spend carefully, expect to allocate more dollars and attention to IT security going forward.
Get in touch today and find out how we can help you meet your objectives.