Business continuity planning in action
A guide to keep your business ready for an emergency
Business disasters can strike at any time, often with little or no warning. Yet, according to a recent study by a national non-profit organization,1 more than half of small businesses have no disaster recovery plan, and of those that do, the vast majority spend very little time making sure that their information is updated and understood by all who need to implement it. Not having a plan, and not exercising the plan, is almost like making the same mistake twice — and the result can be devastating to your business. Creating, updating, and testing your plan are all critical to responding successfully to a natural disaster or other business disruption.
To get you started, the Insurance Institute for Business & Home Safety (IBHS) has created OFB-EZ™ (Open for Business-EZ), a free, downloadable business continuity planning toolkit, to help you recover, re-open quickly, and reduce losses. OFB-EZ gives business owners tools to better understand the risks they face; keep in touch with key suppliers, vendors and employees; make sure their information technology systems continue to function; and improve their ability to make quick, informed decisions after a disaster. Creating a plan is only the first step in disaster preparedness. The focus of this article is on making sure that the plan you create is up-to-date and actionable when you need it most.
1Small Business Majority and the American Sustainable Business Council, Climate Change Preparedness and the Small Business Sector
Business continuity plan — it’s a living document
Business continuity planning is an evolving exercise that should be regularly reviewed and updated because your business is constantly changing. You may have new products and services; upgrades to technology; people coming, going, and changing their responsibilities; and new priorities. All of these affect your business and therefore your business continuity plan. Preferably, your plan should be updated as soon as changes in your business occur. That way, the work won’t pile up and you won’t forget something important. At a minimum, your plan should be reviewed and updated at least once a year — but every six months is ideal. Once the plan is updated, be sure to redistribute it and make your employees aware of the changes, as this will help when they need to put the plan into action during an emergency when reflexive action may be needed.
Questions to consider: deciding how and what to update
Time and resource constraints make maintaining and updating your plan challenging. To simplify the process, the following is a list of questions to consider when reviewing your plan.
- Have my business’ risks or hazards changed?
- Has my business added any new office, sales, or operational locations that need to be included in the plan?
- Has my business added new departments, products, or services?
- Have there been any process changes that need to be included?
- Have the priority levels of my documented business functions changed?
- Has my business added or changed any suppliers/ vendors, key contacts or key customers?
- Is the contact information up-to-date for existing suppliers/vendors, key contacts and key customers?
- Have I updated the current software needed to resume each business function?
- Have I updated information on specialized equipment needed to resume each business function?
- Have there been any staffing changes?
- Does my company telephone call list need to be updated to reflect new staff personal/ emergency contact information?
- Are the right responsibilities assigned to the right staff?
- Are the documents attached to my plan up-to-date?
- Should additional documents be included with my plan?
- Has a review of vital records been completed?
- Does the updated plan reflect lessons learned from any disruptions experienced since the last update?
- Can I put in place any new protection devices, safeguards or procedures to reduce my business’ risks and hazards?
- Are work-around or secondary methods written and documented in a manner that my employees can understand and act on them?
- Have I reviewed my insurance coverage with my agent?
Putting the newly updated plan into action
As soon as you have updated your plan, make sure it gets to the right people, and that they know their responsibilities. Here are some action items:
- Has the updated plan been reviewed and approved by the business owner and/or senior operations managers?
- Provide copies of the updated plan to all employees who need it. If there are some things in the plan that not every employee should see, put those items in an appendix and distribute only to those who need to know.
- Save the updated plan in multiple secure digital locations. Make sure key employees know where the plan is located.
- Print and store paper copies of the updated plan in multiple secure locations. Make sure key employees know where they are located.
- Dispose of all outdated copies of the plan.
Testing and exercising — how often is often enough?
Can you imagine a group of actors performing a play with no previous script review or rehearsal? Yet, in the event of a business disruption, most businesses expect their employees to perform under pressure without ever practicing their roles or testing the overall plan. Without testing, you will never know if your plan will work when you need it most, and without exercising your staff, you will never know if they understand their roles and responsibilities and are able to perform them. In addition, testing various scenarios will teach staff what to do if some resources are unavailable.
Periodic testing also will enable you to find the gaps that need to be addressed. Without testing, those gaps will stay hidden until it’s too late. Once identified, make sure your plan gets updated to account for those gaps and weaknesses. Then, practice again as soon as practical to make sure that the solutions really work. Testing is the only way to translate the elements of your plan into effective action.
When determining how often and how extensively you should test, consider that most business continuity experts advise businesses to test as often as possible, and at a minimum, on an annual basis. To keep your employees and business resilient, set up a testing schedule and share it with your staff to ensure full participation.
Methods to test your business continuity plan
Most businesses use one of the following methods to test their business continuity plan. Regardless of which method you select, it is important to understand that the testing is not a fault-finding mission; there should not be a passing or failing grade. The objective is to learn and to ensure your plan is fit for any type of disruption.
- Walk-through exercise: this type of exercise will ensure that your employees, at a minimum, are familiar with the plan. In a conference room setting, you should review and discuss all parts of the plan so that everyone understands the content and their responsibilities. The group should consider whether or not the actions outlined in the plan are feasible, and whether they would work in principle.
- Tabletop exercise: in a conference room setting, using a specific emergency scenario, your employees should work through the plan, discuss their step-by-step responsibilities and how they would react to the particular situation. The scenario should include several unexpected interjections during the exercise. This type of exercise can identify documentation errors, missing information and inconsistencies. The emphasis should be to validate the contents of the plan rather than the development of the plan.
- Full-scale/live exercise: this type of exercise involves all employees, actually rehearsing the actions contained in the plan. It is designed around a realistic scenario; participants should respond as though the scenario were real, deploying the resources that would normally be used.
Questions to consider: exercise preparation
The following are some important questions to consider when preparing for your next exercise, drill or test. Prior to any exercise or test, be sure your plan has been reviewed and updated, and is ready to use.
- What parts of your plan will be tested?
- What is the scope and objectives of the test?
- Which business processes am I testing?
- Am I testing the ability of my employees to function remotely?
- Am I testing my business’ technology and connectivity?
- Are there new or changed processes or systems that need to be tested?
- Am I testing my notification procedures including my company telephone call list flow and response times?
- What type of test will this be — walk-through, tabletop or full-scale?
- Who needs to be involved in this test?
- Have I selected an observer (for comments and feedback) and scribe (to take notes)?
After the test, drill or exercise, you should document what worked well, what areas needed improvement, and any action items. Based on these findings, your plan should be modified to include the recommended improvements.
Sample tabletop exercise from OFB-EZ
Disaster exercises provide opportunities for you to test company disaster readiness; train employees through practice; improve employees’ ability to make informed decisions when responding to an emergency; identify what needs to be done during and after a disaster; and examine a specific scenario or situation more closely.
OFB-EZ includes an exercise dealing with a common business disruption — an extended power outage. The scenario is available in the OFB-EZ toolkit. After accessing the scenario, gather your team, key employees and anyone else who would benefit from the exercise, and begin the discussion with the questions provided. This can be done informally, such as during lunch or as part of a staff meeting.
The “final exam” for any business continuity plan is whether it works when needed during an actual disruption. What seems like a great amount of work to update, test, and improve your plan now may be what saves your business following a disaster. And, in the meantime, your business will be stronger and your employees better prepared for the unexpected.
This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.
171-1024 (02/14) LC 14-50