Business Continuity Part 3
We are continuing from where we left off after the second installment of this series. Now that we have the app installed and running, it is helpful to revisit where we are on the Site Map.
Preliminary
Title Page
A straightforward title is good. Ours is simply “TCS Business Continuity Plan”. Add a date and then move on to the next sections.
Version History
Versioning your document will help you track revisions over time and facilitate distribution of these changes. The best practice here is to replace the entire document with an updated version to ensure subtle changes are not overlooked if you were to merely swap out pages. Fill out the remaining information to track who implemented and approved the changes and why changes were made…maybe “Baseline Plan” initially and “Annual Update” thereafter.
Good news is the app shows we are now 4.5% complete. This is positive feedback for those who enjoy checking boxes and striking through task lists. In fact, if you have that type in your organization, they are likely a good resource to oversee this effort. Attention to detail being a key trait as well. This is not a project to pencil whip.
When you feel stuck or need some extra help, there are often Sample Text links plus the Help menu option is a great resource.
Confidentiality Statement
Your Business Continuity plan is proprietary, sensitive, and confidential. You do not want this information getting into the wrong hands. Accordingly, the plan should only be distributed to those accountable and/or responsible for its execution. Further, the Confidentiality Statement should reinforce the requirement to keep this information close to the vest.
For TCS, we used the sample text and tweaked it a bit from there.
There is an option to add a footer to the document as well. Marking every page as “Confidential” at a minimum would make sense.
When you Mark Complete and Forward,BCPG will mark this done in the Site Map and increment the overall progress on the progress bar at the top of the app. Otherwise, if the section is not complete and you want to skip around, it is best to use the Back and Forward buttons.
Business Continuity Plan Distribution/Update List
Much like the section for Version History, we want to track when and to whom the plan is distributed. For example, collecting a hard copy printout during an employee off boarding would be advisable. Further, it is helpful to demonstrate that your plan is a living document and an integral part of your business continuous improvement and regulatory compliance process.
Be sure your only copy of the plan is in your building. An office flood or fire would be made worse by losing this document as well. Cloud storage and (tracked) off site physical copies are recommended. Business owner and/or CEO? Keep a copy at your house. In fact, I would ensure all key personnel responsible for managing the business continuity process have a physical copy at home. This would help in a widespread regional event (maybe driving to the office is not an option) and a grid-down situation (Internet or power outage, for example).
Chapter 1 – Overview and General Information
1.1 Overview
The plan overview provides a summary of the plan’s purpose and contents. Again, we went with the sample text and adjusted from there. At this point the tool shows we are over 11% complete. So far, so good.
1.2 Scope
The guidance under “Scope” is to limit the BCP to one facility/office. This is to allow for variations between different site locations. If this does not apply, like TCS only having one office, simply put the address of the main site. Larger organizations, or businesses with sites that vary significantly in function, may want individual plans per facility accordingly.
1.3 Business Continuity Program Policy
After simplifying the language in the BCP policy, I thought it would be important to add a line linking this policy to any regulatory requirement – I did so as follows: “TCS recognizes the regulatory requirement and the practical benefit of risk reduction achieved by maintaining a robust BCP program.” Also, I downgraded the language of maintaining a “Certification Program” to “employee training”. While it is essential for employees to understand their role under the plan, many small businesses cannot support a formal certification process and, as a result, shouldn’t state this in their plan. This needs to be practical and workable, not some pie in the sky formality that cannot be managed effectively. That’s my two-cents, at least.
1.4 Planning Assumptions
Okay, time to put your thinking caps on for a while. Some of the next few sections will be very specific to your organization and its staff and your technical (or manual) capabilities. One this Covid has taught TCS and many of its clients is that business continuity need not be a far stretch from everyday mobility capabilities. In fact, my very first blog article for TCS was on the topic: https://choosetcs.com/2021/01/14/strategy-business-inside-out/. And we followed up on that concept with a recorded webinar now shared on our TCS Education Youtube channel. If you can design your workflows and technology around a mobility-first mindset, you are well ahead of the game in the assumptions you can make during a disaster. Because of this, thinking through this section of the plan was a straightforward process. If yours is not, it may be time to work with TCS to strategize on how to enable these capabilities for your organization. This cannot be an afterthought!
1.5 Objectives
Next you will want to list the objectives of your plan. This will include the goal and focus of your plan, the scope, and what kind of events your plan will address. Here are a few objectives in our plan:
- The BCP will primarily focus on maintaining service delivery where other business functions will be deprioritized until Service has maximized its capabilities.
- The BCP will seek to ensure the health and safety of TCS employees and its clients.
- The BCP will provide practical steps and guidance for TCS to restore and maintain its operations.
- The BCP will define under which conditions the formal plan will be activated, but this will not prevent taking needed actions before the plan is in effect.
- The BCP will address natural and man-made disasters, including: flood, fire, hurricane/tornado, ice/snow, pandemics, utility service outages, and cyber attacks.
Marking this complete now puts us at the 20% mark. With that, we will hit the pause button for now and pick up next time with “Risk Assessments”. We will want to camp out a bit on this one, so this is a good stopping point for now. Before the next session, you will want to think back on the “People, Process, and Technology” business model to help you identify what things in your business could be at risk, and impacted, during an event.