A business continuity plan is a set of procedures for maintaining business functions or quickly getting them back up and running in the event of some sort of major disruption — a natural disaster, loss of power, cyberattack or a pandemic.
“All businesses should have a business continuity plan because every one of them could be affected by disruptions,” says Carly Devlin, managing director, Clark Schaefer Consulting. “Without a business continuity plan, it could take longer than necessary to recover or the business might not recover at all. The pandemic has been a test for all businesses, and already there are organizations that are likely not able to come back when this ends.”
Smart Business spoke with Devlin about business continuity plans, what they should include and how to ensure they’re helpful when a disaster strikes.
What are the core components of an effective business continuity plan?
For a business continuity plan to be effective, a business impact analysis is required. That’s a process for identifying key business areas within an organization and their critical functions to devise a plan that outlines how each will operate in the event of a major disruption.
The next aspect of a business impact analysis is identifying potential losses — usually categorized into financial, legal, reputational and regulatory losses — and trying to understand what impact those losses would have on the organization over different lengths of time. At the same time, interdependencies between IT systems and those critical business functions should be identified. A recovery time objective tests how quickly each business function and IT system needs to be back up and running before unacceptable losses occur. At the end of the process, companies will better understand how to prioritize recovery efforts.
The third component is continuity procedures, which focus on contingency plans for people and processes in the event of various interruptions. That amounts to a lot of ‘what if’ scenarios and making sure that, for each of those, the business could continue operating while minimizing unacceptable losses.
How have business continuity plans performed so far during the pandemic?
There have been mixed results. Organizations that have more mature business continuity plans were better able to utilize their plans to transition their employees to work remotely. Organizations that didn’t have a mature business continuity plan have tended to struggle through the transition.
We’ve also seen a lot of organizations have a very general or high-level business continuity plan that doesn’t offer specific steps to take in the event of a disaster. That’s because many organizations have never tested their business continuity plan, which is the only way to measure the effectiveness of the plan. Organizations are now learning in hindsight from the shortcomings of their plans and are hopefully updating their plans so that they’re better prepared in the future.
What tools should businesses use to develop better business continuity plans?
There are various tools to help with business continuity planning. Some are free, such as online checklists and templates, and others have a cost associated with them. Some CPA and business advisory firms can help organizations with business continuity planning. They can help build a plan from scratch, update an existing plan or help with implementing and socializing the plan so that all the stakeholders involved clearly understand their role in its execution. Firms can also help test the plan using, for example, tabletop exercises that run through and poke holes in it to find the flaws.
A business impact analysis is a critical first step in developing a business continuity plan. You can’t effectively recover processes and systems without understanding which of them are critical, so the response can be prioritized and recovery can begin. Don’t forget to test, because too often, organizations discover at the worst possible time that their plans are ineffective or unrealistic.
Insights Accounting is brought to you by Clark Schaefer Hackett