Recent incidents like the earthquake-tsunami in Japan, terrorist attacks and other natural disasters have shaken many business owners and executives into facing the fact that their business world is at risk every day. As of this writing, some business units in Japan have not regained their full operations from the March 11, 2011 disaster (over four months!). Customers are demanding that their suppliers maintain the ability to provide products and services in the event of a disaster. Some even require that a Business Continuity Plan (BCP) be submitted and maintained by all suppliers. In the future it will be difficult to win new business without a comprehensive BCP.
A Business Continuity Plan (BCP) is “planning which identifies the organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization.”
In other words, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires; regional incidents like earthquakes or floods; and national incidents like pandemic illnesses and terrorist attacks. Any event that could cause the potential for loss of business should be considered, including any event on which the business is dependent, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/network resource), or the result of theft or vandalism.
A BCP requires detailed planning by an organization’s executive staff and should not be taken lightly. Normally it takes two to three months to create a comprehensive BCP.
The following is a list of some of the basics that should be part of Business Continuity Planning:
Develop and practice a contingency plan that includes a succession plan for the CEO and key staff (including legal).
Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.
Determine offsite crisis meeting places and crisis communication plans for top executives and other key personnel.
Practice crisis communication and exercises with employees, customers and the outside world.
Invest in an alternate means of communication in case the phone networks go down.
Make sure that all employees, as well as executives, are involved in the exercises so they get practice in responding to an emergency.
Make business continuity exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful.
Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site.
Evaluate your company’s performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.
Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.
Review outsourced work to ensure that it will not be adversely affected by disruptions.
Discuss emergency financing options with your banks and other financial institutions to ensure availability of funds in a disruption.
Ensure that critical electronic and paper files are duplicated and stored in a secure off site location.
Establish and have ready back up email and internet service.
Arrange for a back up facility should yours be rendered unfit for habitation.
Do not forget that suppliers and customers need to be kept current during recovery operations.
Consider getting assistance from a qualified and experienced professional.
The United States Government has enacted PS-Prep (also known as Public Law 110-53: Title IX), which is an acronym for Private Sector Preparedness, and the International Standards Organization has released ISO 22301, “Societal security – Business continuity management systems.” These constitute a credible, practical, standards-based approach to certification of a business continuity and emergency management program for both private and public sector organizations. Organizations can be certified to PS-PREP or ISO 22301 by an accredited certifying body. These are aligned and can be integrated well with other common management system certifications, including ISO 9001 for Quality Management and ISO 27001 for Information Security Management. Achieving certification is a sure way to ensure that your organization has an effective BCP and to demonstrate to your customers that their source of supply is safe with your organization. Contact the Desara Group (www.DesaraGroup.com) for further information and BCP assistance.
by Mark Hehl