Top tips for a business continuity/disaster recovery plan that works
When a crisis breaks, employees and other stakeholders must know for certain what actions need to be undertaken, and who is responsible for them, says Karen Humphris, senior manager: Advisory at ContinuitySA.
According to research conducted by the Business Continuity Institute in 2019, 71% of organisations activated their response plans at least once over the past year.
"This finding is consistent with the previous year's survey, and indicates just how important it is to have a response plan that works well," says Karen Humphris, Senior Manager: Advisory, ContinuitySA, Africa's leading provider of business resilience services.
Based on ContinuitySA's three decades of experience, she offers the following tips to ensure an organisation's business continuity and/or disaster recovery plan performs as desired when the chips are down:
* Establish clear roles and responsibilities. When a crisis breaks, employees and other stakeholders need to know for certain what actions need to be undertaken, and who is responsible for them. This should include clearly identifying who has the authority to declare a disaster and invoke the appropriate plan.
* Think resilience. Plans must not only provide sufficient guidance, but must be flexible enough to address any event. A good idea is to structure the plan around dependencies, and to provide enough detail to allow for it to adapt to different scenarios. A common mistake is for plans to be too inwardly focused. It is also very important that plans are practical and user-friendly: role-players must be able to navigate efficiently through an event.
* Don't focus on IT alone. IT is critical, of course, but the BCP must look at the big picture, and cater for all dependencies. These would include key staff, specialised equipment, IT system/application requirements, key third-party service providers and site requirements.
* Make provision for emergency response and crisis management, including crisis communication. The first response is vital, especially from the point of view of ensuring the safety of employees and others. As the crisis unfolds, well-crafted and accurately disseminated communications are vital not only in keeping staff informed (and thus maintaining morale), but also in ensuring that the outside world gets the right messages. Poor crisis communication can irretrievably damage brand reputation.
* Refresh role-players' awareness and understanding of the BCP and DRP continually. Don't assume that role-players know what they have to do, or will remember over time. The plans need to be kept alive for them.
* Consider a mobile app. An app can ensure that plans are activated and executed timeously; they also enable the constant exchange of information between role-players, thus increasing the chances of success.
* Take out cyber insurance. While IT should not be the focus of BCPs, its importance as the platform for modern business means it is a key vulnerability. Over the past two years, the Business Continuity Institute's Horizon scans indicate that cyber security has become the number one threat to organisations. Cyber insurance does not only cover liabilities, it can also provide access to specialised skills like lawyers, forensic investigators and crisis communication specialists.
* Engage a specialist business continuity provider to undertake gap analysis. This will reveal the organisation's current state of readiness and also any shortcomings in the existing BCP and DRP. A maturity assessment should also be performed periodically to ensure the plans are constantly enhanced.
* Test, test, test. Your BCP and DRP might look good on paper, but it needs to be tested regularly. This is the only way you can be sure they work and that everybody knows what they have to do.