Ensuring Efficient & Implementable Business Resilience Plan
Disasters never come well informed and organizations and community as a whole need to be prepared well in advance for D-day whether its natural disasters like earthquake, tsunami, floods, fire and these days cyber threat too. As humans we have experienced such disasters from centuries but yet till date we seem to have not learnt much from our past experiences. We always stay in our bubble that it won’t happen or I know the drill. Hence it's imperative to ask how good is our organization's resilient quotient in a scenario when disaster strikes.
Every time a disaster occurs its different and it unfolds in a different manner. There is always a learning and key takeaway to face the next one. This brings the focus of discussion of having a business continuity plan in place for an organization which is efficient, simple, scalable, futuristic, implementable and tested during a disaster. Most organizations do have a business continuity plan in place for others it is just being lucky enough to recover back from a disaster as they may run out of business in some point in time when a disaster strikes.
Business Continuity plan is different than disaster recovery as its more holistic in nature and goes beyond IT infrastructure and operations. Business continuity plan focuses on creating an organization wide framework, processes and procedures encompassing all business units including human resources, finance, marketing, business partners, vendors suppliers etc. For e.g. It is like with minimum amount or negligible downtime all business units and processes are up and running during crisis. BCP plan looks holistically at people process and technology; by doing so an organization can handle an incident during crisis more effectively which ensures a positive influence in terms of customer confidence, organizations brand image and overall market value. There is more effort and focus from regulators too to ensure security of customers data and identity, safety of employees and community at a whole.
To begin with If an organization doesn’t have a BCP plan in place and they would like to embark upon the journey the first and foremost step is top down approach with board members and senior management involved and their willingness to making this a great success. The steps involved in having BCP plan are mentioned below:
Analyse
Design
Exercise
Sustain
Analyse
Organizations need to understand first and foremost their culture and their risk appetite. Identify critical and non-critical processes. Assess them and figure out areas where there are lacunae. Their implications in terms of financial, regulatory and reputational impact of these processes going down during crisis. Initially organizations need to set broad recovery requirements against various scenarios and events during crisis. Lastly need to determine the risk associated with the scenario and its likelihood of occurrence.
Design
One of the key elements of BCP is Business Impact Analysis during the design stage. The terminology is self- explanatory, it assists organizations to identify and map business critical processes and operations. The impact of these critical processes going down impacting the business operations on the whole in monetary terms. This analysis will assist organizations to identify the opportunity cost of critical processes and map them during crisis to ensure resilience. Alternatively it also allows organizations to identify non-critical processes that can be outsourced to third parties by addressing risk to lower thresholds. Organizations need to create recovery strategies and develop recovery solutions with a mix of people, process and technology.
Exercise
Post identifying the vulnerabilities and doing business impact analysis it’s imperative to document the plan, prioritise and map critical business processes. Engage all stakeholders and schedule and execute test and drills, measure the score i.e. resilience quotient. Organization needs to test their plan rigorously to know if its complete, meets the intended purpose. It is ideal to test the plan two to four times a year with different scenarios depending upon changes in senior management, addition or deletion of any critical business or IT process since the last test was conducted. Also, the scenarios could be usual table top exercise, simulation walk through or a full-fledged disaster simulation drill. Its’ equally important to communicate the test results with management and identify areas of improvement.
Sustain
Once the business continuity plan is ready and tested its important to sustain the effort and improvise from the test learning on regular basis. Many times, organizations lose focus due to other critical tasks and the plan goes stale and has no relevance in case of disaster. Hence sustenance is a very critical step in a ensuring a resilient environment. To ensure sustenance the foremost step is to involve employees by periodic training and raising awareness across organization. The key takeaway is to keep imposing the employees with virtual reiteration tools such as wallpapers, banners, screensavers etc which ensures better receptivity during crisis.
It’s always essential to conduct these exercises and audits at regular basis. which in turn gives the overall resilient quotient. This scorecard can be recalibrated and bcm plan can be tweaked accordingly during regular intervals. Continuous management interaction and complete visibility are also essential part of the sustenance program to ensure a resilient organization.
Hence to ensure an efficient and implementable business continuity plan it's always essential to measure an organization's resilient quotient by following the aforementioned steps.