Posts

Pour the Coffee

Let’s put on a pot of coffee and roll up our sleeves for this one.  We are about to get into the meat of the Business Continuity Plan and we will want to slow things down and focus on our business functions.  The good news is when we are finished with today’s effort, we will complete Chapter 1 and be 40% finished with the Plan.

And if you have followed our guidance during the Pandemic, your company operations should be flexible in a variety of conditions due to adopting work from home solutions.  This can include laptops, VPNs, IP phones, cloud applications and document storage, or other technologies that help extend your business functions outside of your brick-and-mortar environment.  For TCS, this becomes a game changer and creates an almost seamless transition across all business functions to shift from the office to a home/remote office setup.

1.6 Risk Assessments

We will now document and score what threats may impact our People, Process, and Technology.  As you can see from the screenshot above, we will assess/score the Probability of the threat, the Business Impact of that threat, and our ability to Control the threat.  Each of these will be scored on a scale of 1 to 5, 1 being “Low”, “No Impact”, and “Good” respectively and 5 represents “High”, “High Impact”, and “Poor” respectively.

The tool provides a sample threat list like the one pictured below:

Also, an example of the Risk Assessment table is provided:

Take time to read through the list of threats and look at the examples on how you may score the threats, along with a summary of how the threat could be mitigated.  Each organization will vary in the type of threats, the scoring, and how the threats are mitigated.  This is where you want to spend some energy deliberating on this and work with your team to come up with a comprehensive list.  This exercise could expose some areas where you may need to do more to beef up your continuity strategy.

TCS ended up with 13 different areas but most of them could be at least partially mitigated by defaulting to a work from home strategy.  This may not be possible for all your team, especially if their job function is dependent on equipment or systems on premise.  A helpful tip is to review the Houston County Pre-Disaster Mitigation Plan located here:

https://www.houstoncountyga.org/skins/userfiles/files/Houston%20Co%20PDMP%202020%20(Public).pdf.

This plan addresses many external threats common to our region and can inform your mitigation strategies or affect your scoring because some of these threats are being mitigated at a higher level already.  There is no absolute right or wrong here and the important thing is that these threats are considered and addressed in some logical fashion that is appropriate for your business.  A useful strategy I learned from attending the GBA Southern Operations and Technology School and by working with other Risk Management professionals is to rank order the threats by multiplying each of the 3 score areas (Probability x Impact x Control).  This will give you a composite score for each threat category ranging from 0 to 125.  Understanding these threats as a ranked list can help prioritize spending to further reduce risk if there are gaps in your capabilities.  Of course TCS is available to consult with you regarding your business technology strategy to better align with your mitigation plans.

1.7 Business Impact Analysis Summary

In this step we want to describe how you determined what to include and leave out of your risk analysis.  What business functions, processes, and interdependencies did you consider?  This does not have to be perfect, and it will likely change over time as you revise your plan, but we want to get a basic statement down on paper and go from there.  Part of our BIA statement included factors studied by Houston County in their plan and we made certain assumptions as a result.  For example, the frequency of tornadoes and floods are addressed in their document.

In the BIA Summary example pictured above, you will see how the Plan will document your different business units and its functions along with the associated manager, processes, and related risks.  Additionally, you will want to determine the maximum time you will allow for a critical function to be down, and the daily revenue loss caused by the loss of business function.  The Recovery Time Objective (RTO) will inform how you prioritize your resources before and during a disaster to recover these functions.  Defining the RTO and RPO (Recovery Point Objective) also helps IT know what business continuity and disaster recovery (and backup history) you need to recover business functions, including the information systems and data.  The lower (in number of days or hours) your RTO and the narrower your RPO, the more expensive the technology solutions will be to achieve the desired goals.  This will be a calculated tradeoff between the capital and operational cost of the technical capability versus the likelihood and (financial or business reputation) impact of an event.  This is a conversation to be had with your IT folks well before a disaster.  It will not be helpful to have an undefined RTO only to discover recovering your data from the cloud will take days and you want that business system up in hours.

1.8 Business Continuity Strategy

In this section we want to describe, at a high level, the overall approach to maintaining continuity of your business functions.  This will include basic details of a secondary site for temporary operations along with a map and contract information for that site.

1.9 Emergency Operations Center (EOC) Locations/Contacts

This section is straightforward.  You will list each of your Emergency Operations Center locations, a named point of contact, and a phone number for each site.  This could be one site, or you may define multiple.  It is a good idea to have a prearranged agreement with another organization if they have space to accommodate your business continuity team in an emergency.  This could be a reciprocal agreement.

1.10 Alternate Site Locations and Contacts

You will want to complete a similar list for alternate sites for business operations.  This could be the same as your Emergency Operations Center or a different location.  If you have an offsite storage facility, you will want to document that in the appropriate section as well.

1.11 Organizational Chart

During a disaster is not the time to try and figure out who all works where and reports to whom.  Take the time now, if you do not have one, and document the business functions, management, and staff across your business.  If you have this already, simply copy and paste image into the space provided.

1.12 Team Descriptions and Organization Chart

If your business continuity team will differ in personnel or structure to your org chart, it will be helpful to create a similar chart to define your Business Continuity Organization structure.  An example is provided below; however, this is overkill for TCS being a smaller company, so we opted just to keep our regular org chart knowing the CEO and COO will quarterback the continuity and recovery efforts while Service is busy supporting our clients.  Your mileage may vary.

1.13 Emergency Response Plan Summary

You will summarize the key elements of your Emergency Response Plan in this section.  This plan is separate and distinct from the Business Continuity Plan, although there is overlap.  The BPC will focus primarily on recovery and mitigation and the ERP will focus on preparedness and response.

Okay, time to hit the pause button until next week.  From here we will document various teams and essential lists that are critical to business operations.  This will take us into Chapter 2 of the tool/plan – Critical Business Information.  For those who like checking boxes, here is where we are until we take this up again.  Good progress!

We are continuing from where we left off after the second installment of this series.  Now that we have the app installed and running, it is helpful to revisit where we are on the Site Map.

Preliminary

Title Page

A straightforward title is good.  Ours is simply “TCS Business Continuity Plan”.  Add a date and then move on to the next sections.

Version History

Versioning your document will help you track revisions over time and facilitate distribution of these changes.  The best practice here is to replace the entire document with an updated version to ensure subtle changes are not overlooked if you were to merely swap out pages.  Fill out the remaining information to track who implemented and approved the changes and why changes were made…maybe “Baseline Plan” initially and “Annual Update” thereafter.

Good news is the app shows we are now 4.5% complete.  This is positive feedback for those who enjoy checking boxes and striking through task lists.  In fact, if you have that type in your organization, they are likely a good resource to oversee this effort.  Attention to detail being a key trait as well.  This is not a project to pencil whip.

When you feel stuck or need some extra help, there are often Sample Text links plus the Help menu option is a great resource.

Confidentiality Statement

Your Business Continuity plan is proprietary, sensitive, and confidential.  You do not want this information getting into the wrong hands.  Accordingly, the plan should only be distributed to those accountable and/or responsible for its execution.  Further, the Confidentiality Statement should reinforce the requirement to keep this information close to the vest.

For TCS, we used the sample text and tweaked it a bit from there.

There is an option to add a footer to the document as well.  Marking every page as “Confidential” at a minimum would make sense.

When you Mark Complete and Forward,BCPG will mark this done in the Site Map and increment the overall progress on the progress bar at the top of the app.  Otherwise, if the section is not complete and you want to skip around, it is best to use the Back and Forward buttons.

Business Continuity Plan Distribution/Update List

Much like the section for Version History, we want to track when and to whom the plan is distributed.  For example, collecting a hard copy printout during an employee off boarding would be advisable.  Further, it is helpful to demonstrate that your plan is a living document and an integral part of your business continuous improvement and regulatory compliance process.

Be sure your only copy of the plan is in your building.  An office flood or fire would be made worse by losing this document as well.  Cloud storage and (tracked) off site physical copies are recommended.  Business owner and/or CEO?  Keep a copy at your house.  In fact, I would ensure all key personnel responsible for managing the business continuity process have a physical copy at home.  This would help in a widespread regional event (maybe driving to the office is not an option) and a grid-down situation (Internet or power outage, for example).

Chapter 1 – Overview and General Information

1.1  Overview

The plan overview provides a summary of the plan’s purpose and contents.  Again, we went with the sample text and adjusted from there.  At this point the tool shows we are over 11% complete.  So far, so good.

1.2 Scope

The guidance under “Scope” is to limit the BCP to one facility/office.  This is to allow for variations between different site locations.  If this does not apply, like TCS only having one office, simply put the address of the main site.  Larger organizations, or businesses with sites that vary significantly in function, may want individual plans per facility accordingly.

1.3  Business Continuity Program Policy

After simplifying the language in the BCP policy, I thought it would be important to add a line linking this policy to any regulatory requirement – I did so as follows: “TCS recognizes the regulatory requirement and the practical benefit of risk reduction achieved by maintaining a robust BCP program.”  Also, I downgraded the language of maintaining a “Certification Program” to “employee training”.  While it is essential for employees to understand their role under the plan, many small businesses cannot support a formal certification process and, as a result, shouldn’t state this in their plan.  This needs to be practical and workable, not some pie in the sky formality that cannot be managed effectively.  That’s my two-cents, at least.

1.4 Planning Assumptions

Okay, time to put your thinking caps on for a while.  Some of the next few sections will be very specific to your organization and its staff and your technical (or manual) capabilities.  One this Covid has taught TCS and many of its clients is that business continuity need not be a far stretch from everyday mobility capabilities.  In fact, my very first blog article for TCS was on the topic: https://choosetcs.com/2021/01/14/strategy-business-inside-out/.  And we followed up on that concept with a recorded webinar now shared on our TCS Education Youtube channel.  If you can design your workflows and technology around a mobility-first mindset, you are well ahead of the game in the assumptions you can make during a disaster.  Because of this, thinking through this section of the plan was a straightforward process.  If yours is not, it may be time to work with TCS to strategize on how to enable these capabilities for your organization.  This cannot be an afterthought!

1.5  Objectives

Next you will want to list the objectives of your plan.  This will include the goal and focus of your plan, the scope, and what kind of events your plan will address.  Here are a few objectives in our plan:

  • The BCP will primarily focus on maintaining service delivery where other business functions will be deprioritized until Service has maximized its capabilities.
  • The BCP will seek to ensure the health and safety of TCS employees and its clients.
  • The BCP will provide practical steps and guidance for TCS to restore and maintain its operations.
  • The BCP will define under which conditions the formal plan will be activated, but this will not prevent taking needed actions before the plan is in effect.
  • The BCP will address natural and man-made disasters, including: flood, fire, hurricane/tornado, ice/snow, pandemics, utility service outages, and cyber attacks.

Marking this complete now puts us at the 20% mark.  With that, we will hit the pause button for now and pick up next time with “Risk Assessments”.  We will want to camp out a bit on this one, so this is a good stopping point for now.  Before the next session, you will want to think back on the “People, Process, and Technology” business model to help you identify what things in your business could be at risk, and impacted, during an event.

As a continuation of our multi-part series on developing your own Business Continuity and Disaster Recovery plans, we will transition to installing, running, and familiarizing ourselves with the tool we will use to create our plans.

Installing the Tool

When you download the Business Continuity Planning Suite tool, you will want to save the zip file to wherever you intend to run the tool.  I find it convenient to work from my Desktop and then move the folder elsewhere when I am “done”.  And after I right click and extract the zip file, I have a new folder with the unzipped contents.

You want to navigate to the “Business_Continuity_Planning_Suite” subfolder and open the .html file labeled conveniently, “STARTNOW”.

After you double-click the file to run it, you should end up on a web page in your browser (I’m using Google Chrome) that looks like this:

On occasion, given the age of this tool, you may find some broken links where DHS/FEMA have not maintained the live site, but we will ignore those and use the other relevant parts of the tool.  For example, the link the Business Continuity Training does not work.

We will also set aside the Business Continuity Plan Exercise component for now and most likely revisit that in a later article.  We need to build our plans before we can test them, after all.  That means our conversation for now will focus on using the Business Continuity Plan Generator and the Disaster Recovery Plan Generator (IT Recovery)

Timeout to Consider Business Models

Before we go further, it is helpful to think of BCDR relative to a mental model of your business.  This model makes it easier for us to categorize what “things” might be at risk to some internal or external threat and vulnerability.  I like the use the People, Process, and Technology (PPT) model as represented below.  This helps me think about the business in an organized way to define what areas should be addressed in the plan.

Running the App

Let’s start with clicking the button for the Business Continuity Plan Generator.  We will come back to the Disaster Recovery piece later in this blog series.  Clicking the link will run an executable (.exe) file in your extracted folder and you will be prompted to extract this component of the tool.  I chose the default location of saving it in the top level of our main unzipped app folder.  This results in a subfolder called “Business_Continuity_Plan_Extract”.  Within that folder is an application labeled “Business_Continuity_Plan”.  This is the main app we will use throughout the development of our plan.  When you run the app for the first time you will be prompted to create a user account.

Instructions

Since the app does a great job of stepping you through the process of using the tool to generate your plan, we will not reinvent the wheel in that respect.  Simply click on the Instructions link to pull up the document.  I will instead spend the rest of our time providing commentary on the different sections. 

Checklist

Before we move on to the main part of the app, we want to look at the checklist.  Selecting Checklist from the menu will bring this up.  Now is a good time to detail the information that needs to be collected before you start working on your plan.  The following comes straight from the software checklist:

  • The name and address of the facility or business site for which this plan is being generated
  • Your company’s organization chart
  • Your organization’s confidentiality requirements
  • Your organization’s Business Continuity Plan Policy and Emergency Response Plan
  • A list of your organization’s mission critical:
    • Equipment
    • Software
    • Supplies list
    • Vital records
    • Business processes and interdependencies
  • The address and contact phone number in the event of a declared disaster for your:
    • Identified business recovery center
    • Designated emergency operations center(s)
    • Alternate site and offsite storage locations
  • The name and contact information of your organization’s:
    • Executive Management Team
    • Security Team
    • Business Continuity Coordinator
    • Damage Assessment/Salvage Team
    • Logistics/Transportation Team
    • PR/Communications/Marketing Team
    • Facilities/Security Team
    • IT/Telecommunications Team
    • Finance/Accounting Team
    • Human Resources Team
  • A list of your organization’s contact information, account numbers, and points of contact where applicable for:
    • Vendors
    • Customers
    • Fire
    • Police
    • Ambulance
    • Hospital
    • Poison
    • Control Center
    • Chemical Release
    • Electric Company
    • Gas Company
    • Water Company
    • Internet Service Provider
    • Wireless Service Provider
    • Security Company
    • IT Support Provider

Feel free to customize these lists to your organization’s needs.  The goal here is to gather as much of this information as you can at the start to save time later when you will copy and paste these details into your plan template.  As you will notice from the checklist, there are ten (10) teams named.  This will be too many for a small organization, so you may want to keep the teams in name only or combine them.  The important part is these functions exist in the plan and each group/role is clearly defined and assigned to your personnel.  It will be common for a person in a smaller organization to wear multiple hats and represent different functions on more than one team.

Start Now

When we arrive at this step by clicking the Start Now button, you will be prompted to give your new plan a name along with a password.  While it is possible to manage multiple plans this way, perhaps for different sites or divisions with an organization, we will assume one plan is sufficient.  I am using the same password for the plan as I did for the application account, but you could make these different if multiple teams were sharing the same instance of the application.  From now on when you open the app, your plan document name will be available in a drop-down to select each time.

Now that you are in the core part of the application, a high-level overview of the process can be seen by navigating to the Sitemap section.

As you can begin to appreciate, there are many steps and sections to developing a comprehensive plan.  I will stress again the importance of scheduling time to work on smaller bits of this over time.  Rome was not built in a day and neither is an effective Business Continuity plan.  Fortunately, the rest of the process follows a simple (and did I mention lengthy?) wizard and template flow, prompting completion of one section at a time.  You can, however, skip around using the Site Map if you want to focus on particular sections out of order.  There is no right or wrong to this, simply devoting the time and energy to getting it done.  It will be helpful possibly to delegate some of the work to those who can perform guided data entry and others to come back and review the information.  Whatever works best for your team.

Taking a peek at the Resources section is also helpful, but we will call out relevant appendices when they are part of the main section being discussed.  The glossary is handy when particular terms or acryonyms are unclear.  We will do our best to define any of these in the context of the article as we move forward.

This is probably a good time to remind you to be sure the main folder and its contents are being backed up regularly.  For me this means my Desktop and other user profile folders on my laptop are being synced to my M365 OneDrive cloud storage and Service manages a cloud-to-cloud backup of that environment from there.  This allows me to work how I want but still take comfort that my work is being protected.  After all, effective backups is all part of a good Business Continuity plan.  When I am finished with the final version, I will likely move the folder to a MS Teams share where Management can have access to the plan and make revisions over time.  At that point, we will have moved from the initial project phase to the ongoing testing and maintenance of the plan.  Much like anything with security & compliance, this is a journey not a destination.

From here on we will divide up the article into chapters corresponding to the various sections outlined in the Site Map and we will refer to the Business Continuity Plan Generator as BCPG.