Weather forecasters are predicting that the 2017 hurricane season may be busier than we’ve seen in recent years due to rising water temperatures in the Atlantic basin and the delayed onset of El Nino conditions in the Pacific. The U.S. has already seen impacts. Tropical storm Cindy made landfall in Louisiana in June, bringing heavy rain and flooding.

Each time a disaster strikes, we’re reminded of the devastation caused by events such as Superstorm Sandy, Hurricane Katrina and the attacks of September 11, 2001. Thousands of businesses suffered severe losses, and many never recovered. However, those with business continuity plans stood a better chance of surviving.

Business continuity planning is seldom a top priority for organizations, particularly small to midsize businesses (SMBs). Developing a plan takes time and expertise, and few SMBs have the resources.

As a result, regulatory compliance is often the key motivator for the implementation of a business continuity plan. Although requirements vary according to industry and geography, regulators want business to have effective business continuity plans that enable them to continue operations with minimal disruption during and after a disaster.

For example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to have plans for data backup, disaster recovery and emergency mode operations. Similarly, the Federal Financial Institutions Examination Council holds an organization’s Board of Directors responsible for ensuring the implementation of a comprehensive business continuity plan.

There are three components of a business continuity plan:

  • Business Impact Analysis. As the name suggests, a business impact analysis enables organizations to assess and quantify the impact of a disruption. All facilities, IT equipment and third parties should be assessed, and recovery time objectives (RTO) and recovery point objectives (RPO) should be identified for all business functions and processes. An RTO is the maximum amount of acceptable downtime for a function, while an RPO is the maximum amount of data loss that can be tolerated.
  • Risk Management. Effective risk management involves identifying and prioritizing risks, enacting controls for managing risks, ongoing monitoring and assessments, and the documentation of all procedures, roles and reporting processes.
  • Business continuity plans should be tested when they are implemented and at least annually thereafter. Organizations should conduct additional tests whenever business processes change or new technology is deployed. The results should be analyzed to determine what worked correctly, what didn’t and what must be improved.

Many organizations focus exclusively on their IT environment when developing business continuity plans. However, the key objective should be to maintain or quickly recover all business operations, not just technology, while prioritizing mission-critical operations. Communication plays a critical role. Organizations should ensure that their communications infrastructure is resilient enough to survive a disaster, so they can maintain contact with employees, customers, suppliers and partners.

Finally, business continuity plans should be flexible and easy to adapt. Each time a disaster or security breach occurs, regulators tend to push harder for stricter requirements. Plans should be standardized as much as possible across all applicable regulations so that they can modified as requirements change.

It’s unpleasant to think about a disaster impacting your business, but the threat is always there. By developing and implementing a business continuity plan, you’ll be better prepared to weather the storm.

View Comments

Comments are closed.