In our latest thought leadership webinar, listeners tuned in to hear Eze Castle Integration’s certified Business Continuity and Data Privacy Consultant, Matt Donahue, and our Senior Product Manager, Steve Banda, share seven steps to create a solid business continuity plan (BCP).
A BCP is essentially documentation of how your firm will respond when confronted with unexpected business disruptions, such as natural disasters for example. It helps firms to be prepared with a plan in place to minimise any financial loss, or other negative effects of disruptions in strategic plans, market position, operations and reputation to name a few.
Here’s a summary of the seven steps shared with listeners to create a BCP, as well as the full webinar replay.
Step 1: Regulatory Review and Landscape
The first step in creating a BCP plan is finding out if there are any requirements from federal or international bodies, state authorities, or industry-specific regulations that your firm will need to adhere to.
You should also check to see if your firm needs to follow any external guidelines from investors, partners or auditors, to ensure your BCP is completely valid across the board.
Step 2: Risk Assessment
The second step is to perform a risk assessment on your firm, to identify and prioritise potential business risks and disruptions based on severity and likelihood of occurrence.
The goal of the risk assessment is to categorise risks that are acceptable, and which you would want to take actions against, whether it be mitigating these, creating contingency plans, or leaving be.
For this, you’ll need to consider company culture, cost, and any other potential problems you may encounter if you do choose to implement a strategy. Here’s Eze Castle Integration's step-by-step guideline to conducting a risk assessment:
Evaluation of the company’s risks and exposures
Assessment of the potential impact of various business disruption scenarios
Determination of the most likely threat scenarios
Assessment of telecommunication recovery options and communication plans
Prioritisation of findings and development of a roadmap
Step 3: Perform a Business Impact Analysis
In this step, you should review the different units that make up your firm individually, to understand the functions and tools critical to them. This information is highly valuable in developing recovery point objectives and recovery time objectives for critical functions (e.g. applications, systems, etc.). You should also outline internal and external dependencies, and define critical staff members and backups with similar skill sets, in step three.
By performing a detailed business impact analysis, you’ll able to determine the maximum amount of downtime your business can withstand.
Step 4: Strategy and Plan Development
Once you’ve conducted a risk assessment and business impact analysis, it’s time to start thinking about the overall strategy and the development of your BCP, in the fourth step. A synthesis of your risk assessment and business impact analysis findings is critical to the development of plans for each department, division and site level contingencies. Each plan should be formed accommodating the maximum amount of downtime each function can withstand.
Once you have created your plan, it is important to share it with key organisational stakeholders to obtain executive sign-off, where necessary. Incorporating multiple perspectives is critical to ensuring you have a holistic, fool-proof plan in place. It also creates an open ground to validate that recovery time objectives set are obtainable.
It is critical to ensure the plan is stored safely, and is easily accessible by members of staff in case of an outage or disaster. An off-site, secure web repository would be the best place to store your BCP, so that it can be accessed anywhere, anytime.
Step 5: Create an Incident Response Plan
Having a proper incident response plan in place is crucial for every firm. If an incident does occur, and disrupts day-to-day business operations, you should be prepared with definitive actions for responsible individuals to take.
Your incident response plan should be created with the mindset of ‘when,’ not ‘if’, an incident should occur, to ensure it is realistic, detailed and effective in guiding the firm when disaster strikes.
All relevant internal and external parties, from IT, Operations and HR departments, to service providers, clients and regulators should be involved in reviewing the plan, to see if all areas have been covered, and if there’s room for improvement. Additionally, be sure to run a due diligence check to see that your plan is consistent with the other plans created by your firm.
Another crucial step we recommend in the fifth stage of creating a BCP, is reaching out to the different vendors that you work with to see how they're going to respond to the incidents that may come up. Having these conversations ahead of time is important, because your expectations of what their roles and responsibilities are in your plan can impact how successful your response and recovery will be.
Step 6: Plan Testing, Training and Maintenance
The sixth step is all about planning, testing and the maintenance of your plan. Our experts suggest you deliver regular employee training sessions with tabletop and simulation exercises, to ensure the firm is fully trained in case of an outage. It is also worth having your BCP, business impact analysis and risk assessments checked annually by an external, certified business continuity consultant, to guarantee new threats and business process changes are accurately represented in your plans. This should be an ongoing document, regularly adapted to the current landscape.
Step 7: Communication
The final step our experts recommend is taking the time to communicate your plan to relevant members both internally and externally, as well providing ongoing updates to the BCP as they become available. We also suggest you alert any vendors or third-parties that have a role in the BCP, or would be affected by it. Ongoing communication is vital to ensure all parties are in the know, at all times.