2020 taught business owners an important lesson: the need to be prepared for a potential crisis. There’s a formal name for this—Business Continuity Planning (BCP). If you want your business to survive pandemics, economic recessions, natural disasters, and other emergencies—BCP can help. We’ll cover some of the areas you’ll need to think about and what you can do to get a business continuity plan in place.
Why Business Continuity Planning is Important
BCP helps you prepare for the unexpected. Although we can’t accurately predict how business circumstances, marketplaces, or environments are going to change, BCP does allow you to react quickly and decisively. Which is vital. Because the consequences of not having a continuity plan can be dire:
- One-in-five businesses will suffer from fire, flood, power failures, hardware, security, or software emergencies.
- Between 40 and 60 percent of businesses without a plan won’t open after a disaster.
- Even if a business survives an immediate disaster, up to three-quarters of businesses without BCP will fail within three years.
- Companies without a BCP are very likely to make bad decisions as they are trying to recover.
The Types of Crises a Business Continuity Plan can Help With
- Fire or flooding directly impacts your business or stops you from getting onto the premises.
- Construction digs through important cables, cutting off your power and internet.
- Geopolitical tensions create trade tariffs and customs problems that delay or increase the price of goods.
- Hackers compromise your cybersecurity and steal large amounts of personal data.
- Thieves break into your premises and steal office equipment and computers.
How to Set Up a Business Continuity Plan
There are several business continuity planning steps you’ll want to go through to create the right approach:
- Identify the areas where your business is most at risk and the likelihood of them occurring.
- Carry out a business impact analysis to discover how these risks would affect you.
- For each of your risks and impacts, get contingencies in place that you can use when needed.
- Document, test, and revise the plan and share with all stakeholders.
Business Continuity Planning: Identifying Risk
It’s impossible to plan for every eventuality, but you can make educated guesses on the disasters most likely to impact your business. You can start by listing out the various areas where disasters could occur. These might include:
- Fire, flooding, hurricanes, and other climate-related emergencies.
- Data breaches, theft, and illegal access to your customer information and business systems.
- Third-party issues such as vendor loss or supply chain interruptions.
- Power, data center, IT, or communications outages.
- Workforce-related outages like key personnel becoming ill or deliberate sabotage from disgruntled employees.
For each of these areas (and others that may be unique to your sector or industry), it’s important to identify what the specific risk to your business might be. Once you have a list of specific risks, you will need to prioritize them for BCP. The easiest way to do this is to measure each risk in two ways:
- The impact of the risk if it does happen.
- The likelihood of the risk happening.
Business Continuity Planning: Business Impact Analysis and Likelihood
Measuring the business impact of risks means understanding how they’re going to interrupt your business operations, and what those interruptions are going to cost—directly or indirectly. It’s helpful to view this in terms of the potential loss for your business. For each risk you’ve identified, understand how it will impact:
- Loss of customer satisfaction due to them not being able to communicate, receive goods and services, and other factors.
- Loss of company reputation and trust due to not being prepared for an emergency, having personal information stolen, or mismanaging expectations.
- Loss of sales or income due to not being able to provide products or services in a timely manner.
- Loss of equipment or data that creates further risks of identity theft or operational efficiency.
- Loss of new business due to inability to communicate and trust issues.
- Loss of operating revenue due to regulatory fines.
Quantify these impacts as much as you can, and rank them from highest impact to lowest impact. You can then map the impact on each of your risks.
The likelihood of a risk occurring is harder to predict, mainly because so many unknown factors are at play. One way to do this might be carrying out research and assigning each risk a likelihood level:
- Very likely to happen.
- Somewhat likely to happen.
- Somewhat unlikely to happen.
- Very unlikely to happen.
You can develop your own likelihood criteria and thresholds dependent on your business niche and exposure to risks.
Business Continuity Planning: Putting Contingencies in Place
The combination of impact and likelihood will allow you to identify your most urgent risks. For example, you will prioritize something that is “Somewhat likely to happen” and has a high impact, over something that is “Somewhat unlikely” and has a medium impact. You should get contingencies in place for your most urgent risks before moving down the list.
For each of your highest priority risks, you will need to ask:
- Do I fully understand the potential impact and likelihood of this risk?
- Is this a risk that I want to plan for, or do I “accept” that it might happen and the damage that could cause?
- If I do want to plan for this risk, what contingencies can I put in place and what are the costs of doing so?
- What do I need to do next to get the contingency in place?
The type of contingencies you use will vary widely depending on the risks you’re dealing with. For example, they might include:
- Completing regular and real-time data backup in the event of data loss.
- Hiring a cybersecurity provider to protect your business from data breaches.
- Moving your business applications and systems onto the cloud to avoid local data center outages.
- Installing a backup generator in the event of a power outage.
- Having detailed communications plans in place for messaging employees and customers in the event of a disaster.
- Immediately removing systems access from terminated employees.
- Getting backup suppliers and manufacturers in place if the supply chain gets cut.
- Implementing communication and collaboration technologies to make it easier for people to work from home.
Explore how much these contingencies will cost, how necessary they are, and how quickly you can implement them. Once you’ve done that, kick off business projects to get them in place.
Business Continuity Planning: Document, Test, and Revise the Plan
Getting contingencies in place is a big part of BCP, but it’s also important to document the processes you will need to go through and how you will manage the disaster. Your BCP document should include:
- The various risks you’ve identified, likelihood, impact, and mitigation planning for each one.
- Default, fallback positions and contingencies if the risk occurs.
- Detailed, step-by-step guides on how to manage critical business systems and communications in the event of a disaster.
- Disaster recovery steps to get up and running as quickly as possible.
Once you have a BCP document, share it with all stakeholders that may be impacted by business disasters. You will also want to run drills and test out the plan to see what needs to be tweaked and changed, and update the plan on a regular basis.