BUSINESS CONTINUITY BASICS
One hallmark of entrepreneurs is the ability to "roll with the punches" - to overcome challenges and react to new circumstances, emerging stronger than ever. But what if you're faced with something more than you expected? Flood. Fire. Tornado. Terrorist attack. Epidemic. Something that not only threatens your success, but your very existence as a viable business?
No, this is not a sales pitch for insurance. This is a primer on sound business planning. Every business, no matter how large or small, should have a plan to follow before, during and after a natural or manmade disaster. Having a plan and following it can help your business and your community emerge more quickly after a catastrophe, and can even save lives.
The term "business continuity" refers to the plans and procedures your business implements to prevent and mitigate the effects of a disaster, and to maintain or recover critical functions as quickly and fully as possible during and after a disaster.
The following guidelines can help you create and implement an effective business continuity plan.
Step 1 - Evaluate
Evaluation is a two-part process. First, you need to consider the types of disasters that may impact your business. The very nature of disasters makes it hard to predict when or how they will strike and what impact they will have on your business, but common sense can help you prepare for the types of disasters that are possible in your area. Earthquakes, hurricanes, and tornadoes, for example, are more common in some parts of the country than others. Fires, floods and terrorist attacks can happen just about anywhere. If your business is located near a rail line or chemical plant, there is an increased possibility that a hazardous material incident will affect you.
Remember that it's not only where you are, but also what your business does that affects the types of disasters that can impact you. If your business produces or handles hazardous or flammable materials, you probably already know the risks involved. But what if you are in the financial services or health care industry? A data breach would certainly qualify as a survival-threatening disaster for your business.
Second, think about the most important components of your business - the things you absolutely must have in order to function. For most businesses, this list will include at a minimum key personnel, data on customers and suppliers, and financial accounting systems, including payroll. But the list probably includes other items as well: key suppliers, telephones, equipment, inventory, and, of course, a place to put it all.
Step 2 - Develop a Plan
Now put the disaster possibilities (the "what ifs") and the critical business components (the "must haves") together. What if something you must have is not available due to a disaster? A business continuity plan will provide the answer. Better yet, a good business continuity plan will decrease the likelihood that you'll ever have to ask that question.
Here is a checklist to follow when developing a business continuity plan:
- Get input from key personnel from all parts of the company. Make sure you know what each department needs in order to function, within the department, with other departments, and with outside stakeholders, such as customers and suppliers
- Establish a chain of command with delegated authority. If an executive or manager is unavailable to make a decision, the plan should spell out who else is authorized to make the decision.
The business continuity plan should include policies and procedures to be followed before, during and after a disaster. When planning for a disaster, there may be a tendency to focus on what to do during and after a disaster, but what you do before a disaster can have the greatest effect. For example, if you design and implement a rigorous data backup and offsite storage routine for critical information - a routine you follow daily, weekly or monthly during normal times - you can quickly and easily regain access to your data with minimal downtime and losses.
- Create an emergency communications protocol for your employees. One simple but effective method is a telephone tree that covers all employees. You could also designate a website or electronic bulletin board outside your company where employees could leave messages for each other. Another good option is to have a dedicated voice mailbox where employees can call to hear recorded instructions.
- Maintain a list of emergency contact information for all employees.
- Don't forget your customers. Establish a method or priority list for communicating with key customers. This could be as simple as posting a notice on your company website, making telephone calls, or sending an e-mail. Remember, your customers are counting on you, and it's up to you to reassure them that you will be able to serve their needs.
- The same goes for important suppliers. Have a way to let them know whether you are accepting deliveries, have alternative delivery sites, or need emergency deliveries.
- Develop an on-site emergency plan. This includes: identifying evacuation routes; having emergency supplies on hand such as medicines, first aid, food, water, sanitation, and a radio with fresh batteries; designating a "safe room"; and establishing an assembly site outside the building where you can account for all employees and visitors. You should also be aware of and plan assistance for individuals with disabilities and special medical needs.
- Create a conscientious backup and protection routine for the data you have identified as critical. This should include at a minimum regular remote backups of key data (offsite storage). The plan should also provide for the integrity of the data by protecting it from hackers, malicious software (viruses), and loss or theft.
- Build supplier redundancy into your business. Even if you rely on a handful of primary suppliers, establish relationships with secondary or competitive suppliers. If your primary supplier is affected by the same disaster as you, having alternative sources of needed supplies or services will be critical.
Step 3 - Distribute, Update and Practice the Plan
For your business continuity plan to be effective, it is crucial that everyone in your organization know what they are supposed to do when a disaster strikes. This may sound obvious, but all too often contingency plans are drafted by a committee - and that's where they stay, filed away for future reference.
Don't make this mistake. The plan itself should provide for its own promulgation. Determine who needs to know about which parts of the plan and distribute it to those individuals. For example, certain parts of your plan may contain sensitive information such as where you keep financial records. Reserve these portions for your finance department and key executives. Other parts, such as a telephone tree or emergency evacuation plans, should be disseminated to all employees. Keep a master copy of the plan in each department.
Regularly update the plan to reflect changes in your business. As you add new employees, systems, and equipment, the plan will need to account for these.
Finally, practice the plan. Disasters are very stressful, and are the worst time to find out whether your plan is practical. A company-wide response drill to a hypothetical scenario is one of the best ways to stay prepared, but these can be costly and disruptive to your business. Here are some other ways you can keep the plan fresh in your employees' minds:
- Conduct informal departmental drills to ensure that everyone knows what to do under various circumstances.
- Hold regular education and training seminars to develop the preparedness skills of your managers and employees.
- Have an informal "pop quiz" from time to time. Ask employees questions such as: What are the primary and secondary evacuation routes? Whom do you call on the telephone tree? Where are emergency supplies stored?
- Include disaster training in new employee orientation programs.
Step 4 - Technical Backup Plan
The field of business continuity planning focuses heavily on protecting business data and maintaining its usability during and after a disaster. With computerized data becoming ever more crucial to operating a business, this should be no surprise.
Think about your own business in terms of the data that you cannot operate without. Common examples include:
- Customer lists and order histories
- Financial accounting data
- Employee records
- Inventory records
- Marketing materials and catalog entries, including digital images
- Spreadsheets, product designs, templates, blueprints, tooling codes, and other digital data and software used in production
- Shipping records, including tracking numbers
- Business plans, marketing plans, and trade secrets
And the list goes on. Virtually no part of your business can operate effectively without access to current data and the ability to process it. The loss of data or the ability to use it can have a crippling, domino effect on your business.
What you do to prevent losses and maintain the usability of data during and after a disaster depends on several factors: the size of your business; the types and amounts of data you use; and the relative importance of data in the immediate operation of your business. These factors, in other words, determine how much you should spend to ensure the safety of your data. If all of these factors are highly significant, you should consider hiring a business continuity consultant or service provider to assess your situation and make recommendations.
Smaller companies, however, can make smart investments on their own, with effective results. Some steps you can take include:
- Keep your antivirus and firewall protections current. It doesn't take a physical disaster to wipe you out - a virtual disaster can be equally devastating.
- Make sure all computers and network devices use surge protectors to protect them from power surges that may accompany natural disasters.
- Consider investing in an uninterruptible power supply (UPS). A UPS provides temporary power to computers and other important equipment in the event of a power outage, giving you time to make backups, power down properly, or transition to a more secure location.
- Establish a schedule for making periodic backups of important data for offsite storage. The frequency should depend on the importance of the data and the difficulty in reconstructing any lost data. For Example, if you make backups every week, you will never lose more than a week's worth of data.
- Consider online storage of data backups. Many ISPs and other service
providers will furnish disk space on their servers for a reasonable monthly fee.
Many also provide software to help automate the process. Online storage has
several important benefits:
- The actual storage site is likely to be far removed from your own location, reducing the likelihood that it will be affected by the same disaster as you.
- The storage company will likely provide high levels of security from hackers and have safeguards in place to ensure uninterrupted service.
- The data can be retrieved from any location at any time via the Internet.
- If you use disks or tapes to back up data, make sure the disks or tapes are properly labeled and stored securely offsite. Keep in mind that a disaster may prevent you from accessing such backups if transportation networks are impassable.
- Keep copies of software applications in a separate, secure location. Your carefully protected data won't be of any value if you do not have the software needed to process it. Be sure to include copies of any custom software, scripts, templates, and modifications to prepackaged software applications.
- Make plans for replacing damaged or destroyed hardware, including computers, peripherals, and networking devices. Keep records of computer brands, serial numbers, and operating system versions. This will make it easier to procure new equipment capable of running your applications with minimal version conflicts.
- Consider outsourcing certain business functions, such as payroll, email list management, and website hosting. If your business is incapacitated due to a disaster, your vendors will probably be able to function, and will have your key data available for use.
It may sound cliché, but employees really are your most important asset. This will be most evident during times of disaster when you need your employees the most. But depending on the disaster, lives and livelihoods may be at stake and, as important as your business is to you, the safety and security of your employees must come first. Your business continuity plan should address this in the form of emergency evacuation procedures, employee training, and having emergency supplies on hand. Providing for your employees will put them in a better position to help you when the situation stabilizes.
Some disasters, such as hurricanes, floods, terrorist attacks, or chemical spills, can present a dangerous situation to a widespread area. Your employees will have concerns about families, friends, pets, and homes that can cause undue stress or even panic. To the extent that your company is able, you should not only accommodate employees by allowing them to address their dire personal concerns first without penalty, but you may also want to make company resources available to facilitate this. Your business may have communications or transportation capabilities that could alleviate personal hardship, or be in a position to provide supplies, temporary shelter, or payroll advances to help employees recover their sense of security and stability.
Am I covered? This is a question you should ask before a disaster, not after. Inadequate insurance coverage is a major reason for business failure following a disaster. Most business property policies cover direct damages from fire, wind, vandalism, and the like. They are designed to rebuild losses to your property. But will they rebuild your business? Not if you don't have the proper coverage.
The first step in getting the proper coverage is to review your current policy to see what is covered. Covered perils are listed in your policy as the specific causes of damage that your policy covers. Some policies also list some excluded perils. Commonly excluded perils include flood (rising water), earthquake, public disturbance (rioting or looting, which may occur after a disaster), acts of war, and terrorism. If a hazard is not listed as covered, however, it is considered to be excluded. Many excluded perils can be added as covered perils for a nominal premium. Ask your insurance provider for a quote and add the coverage as appropriate for your business and location.
Next, determine whether your business policy includes coverage for business interruption. Business interruption and/or extra expense insurance covers losses and expenses you incur due to your temporary inability to conduct business as a result of a covered peril. This is the type of insurance that will enable you to rebuild your business (not just your property) after a disaster. While policies vary by issuer and state, look for the following types of coverage in a business interruption policy:
- Lost income (covers the profits you would have earned had the disaster not occured)
- Document reconstruction expenses
- Temporary quarters (short-term lease on commercial space while your location is repaired)
- Moving expenses
- Payment of salaries, mortgages, leases, electric and phone bills, and other ongoing obligations that endure even while the business is inoperable
Business interruption insurance is usually sold as a package with a business property policy, and applies to covered perils within the property policy. If you have a separate policy for earthquake or flood damage, make sure you have business interruption insurance for those perils, as well.
Finally, find out what records your insurance provider will require when making a claim, and make sure they are included in your data backup and recovery plans.
Power and Communications
A major disaster can affect not only your business, but an entire community or region, resulting in damage or outages to communications and power grids. While there is not much you can do to prevent this, you can take steps to mitigate the effects of outages on your business.
The section on data protection and recovery describes the use of uninterruptible power supplies to keep a computer network running on a short-term basis. For an entire facility, a backup generator can keep your business running indefinitely. For a small business, however, a backup generator is a significant investment. The cost must be weighed against the likelihood of its being needed and the losses prevented by its use. At a minimum, battery-operated emergency lighting and exit signs should be in place to provide security and enable an orderly evacuation in case of emergency. Such equipment is mandated by commercial building codes in many areas.
Unlike electrical power, which in most areas relies on a single grid, most urban areas have several telecommunications providers, giving you more options for connectivity during a disaster. Building redundancy into your telecommunications services can help you maintain and recover your capabilities more quickly if a primary provider is unable to serve you during a disaster. Consider having a backup wireless or dial-up internet connection that you can use temporarily if your primary broadband connection goes down. Network-based phone services provided by your local phone company can keep your voicemail and call forwarding operating even if your facility is badly damaged.
Even in normal times, a lot of things have to work right in order for your business to function. In times of disaster, things that you once took for granted can become major headaches. Here are some additional consideration that might not have made it into the first draft of your business continuity plan:
- Credit card processing. Accepting credit cards depends on functioning equipment and telecommunications. If either goes down, your ability to conduct business goes down. Make sure employees are trained on how to accept credit cards either through voice authorization or getting an imprint of a card for later processing. Getting an imprint is risky because there is no guarantee that the card will be authorized at a later time, so establish protocols within your acceptable risk levels.
- Postage meters. If you lease meter equipment that is damaged or destroyed, contact your meter leasing company for a replacement. Keeping a supply of regular stamps on hand can keep your mail operations running even when the postage meter is not.
- Post-disaster repairs and replacements. Keep a list of manufacturers and servicers of key equipment so you can quickly contact them for need repairs or replacements. Getting service may be difficult in a widespread disaster, so having more than one supplier or provider is important.
- Supplies and materials. Keep extra supplies such as toner cartridges, raw materials, batteries, and the like on hand so you can continue to operate during delays in getting new shipments.
- Emergency shut-offs. Identify systems that could become hazardous in the event of a disaster and make sure employees are trained on how to shut them off. Gas lines, industrial processes, and pipes carrying steam or hazardous materials are examples. If flooding is a threat, turn off electrical power or raise electrical machinery to avoid damage and risk of shock.
Business Continuity Checklist
- Business continuity plan is up-to-date
- All employees are aware of the plan and are trained on how to respond to possible disasters
- Emergency contact information for employees is current
- Emergency evacuation routes are posted throughout the facility
- Emergency supplies are in place
- Data backup routine is followed according to the business continuity plan
- Insurance policy includes business interruption coverage
- A printed list of important contact information is readily available for key suppliers, customers, and emergency services.
Business Continuity Resources
Website provided by the U.S. Department of Homeland Security. Contains practical information on how to plan for a disaster and what to do to protect people, property and your business when one happens.
The Association of Small Business Development Centers (ASBDC) represents America's SBDC network. The ASBDC website provides articles and links to practical resources designed specifically for small businesses. This includes several timely articles about disaster recovery and risk management.